My grasp of sessions is not great, but I have been using them without incident for about six months now on my company's intranet. Over the last month I wrote an application to log my departments time using mysql, php. It takes advantage of the session tracking already in place, and has passed our internal QA cycle with flying colors. Here is my problem:

I use a session file to track the session. An employee has to be logged in to see the link for the application. They also have to be logged in to view th page, if not, they are prompted to log in. If they logged in, and the session expires, then try to click on a link, they are prompted to log in before they can continue. All of this has been working fine. So up goes the time logging app yesterday and people start using it.

Someone manages to enter time into the app, without their name! Which seems impossible because you have to be logged in to use the app, and if you are logged in, the app knows who you are and uses that value to give the time logged an owner.

Ok, so after I recover from my heart attack, I go about debugging this and I manage to reproduce the occurance by logging in, going to the page where a users logs and submits a chunk of time. Before submitting the form though, I go to the server and delete the session file. Then back to the form, submit it, and it appears to do what it should by refreshing the page and prompting me to log in. I check the database, and there is the row without the user name.

I have determined that this must be a freak occrance of someone submitting the form at the same time that php had determined that the session files were garbage and deleting them.

I'm not sure that I am asking for anything more than insight or comments here because I don't think that it will happen again (I hope).

Has anybody had similar problems, bugs. How should I fine tune the deleting of garbage session files? Ideally, I would have the ability to delete all session files at a certain time of day, like when no one was using the intranet.