(05-11-2020, 09:52 AM)jreklund Wrote: Are you still logged in (or other session data intact) after you have executed the stop() function?
You always get a new empty session when you have session set to autoload, but it should be empty. If it's not empty, it's a security risk.
"You may also use the stop() method to completely kill the session by removing the old session_id, destroying all data, and destroying the cookie that contained the session id". This part of the user guide says it's destroyed, but due to the nature of your application you have session on autoload, so they get a new one instantly.
That's my entire point yes, I am still logged in???
It does indeed instantly load a new session (new session id) but all the session data from the old is copied across hence the entire reason for this thread and question...
I see this as a massive security risk especially based on what the docs say - unless I am missing something here?? Official CI could you shed any light - is this a bug or intentional?
