Ok I was thinking about this situation. Say I am useing sessions to keep track of logged in users. Acording to the probability each time session_start() is called the garbage colector may or maynot be called. Is this corect.
Say a user logges in and a session is created, and that user foprgets to log out, so session destroy is not called. Eventualy the time will elapse and the session will expire. but untill the garbage colector is called the expired session sits there. So if I dont have another user login for maybe a hour, a session_start is not called and gc is not called.
During this hour if an atacker managed to sniff or grab the session id of the last user, then the session could be useed and made active is this corect?
This is where I am confused.
If the session expired because of elapsed time, could the session become active again if garbage colector is not called.
