[QUOTE=StarLion;5583221]Other than the title of your thread saying "using sessions only" and then the entirity of the code being cookie based?
Its session cookies yes, but not standalone cookies, something everyone seems to use as well as...
Why are you regenerating the ID of the session a line before destroying it?
Because destroying it only clears the session data.
What your script actually does is:
1. If the user is logged in and is not logging out, perpetuate the session by 11 months, 30 days, 4 hours, 40 minutes.
2. If the user is logged in and is logging out, destroy the session and reload the page; which will then cause it to follow option 3.
3. If the user is NOT logged in, and is not logging in, create a session which will expire immediately. (which some might say defeats the purpose)
4. If the user is not logged in and IS logging in, create a session via cookie that will expire in 11 months, 30 days, 4 hours, 40 minutes, and then reload the page, which will cause it to follow option 1.
*3. Zero is used to indicate to destroy the session cookie when the browser is closed, remember this is a session cookie not a standard cookie!
** unused var is just a remnant (I deleted dev crud as posting!)
So, in your opinion there is no security issues with this arrangement?