Plugin needs better session handling #18
Description
Session clearing after logout. Currently all session variables remain. My bad, it is there. But as sessions do not expire, they will remain, if user not log out.
Proper session expiration handling. Currently it works undes http, but not under https. Session are lost after couple of seconds, probably some server configuration issue, so session_id are different and therefore $fp = $this->fingerprint(); return different value. It really should handle session expiration by itselt.
It was actually my bug. I use php-crud-api with BasicAuth and made some ajax request against that from Pico site. But what happens, is session conflict, as PicoUsers set PHPSESSID cookie and php-crud-api set PHPSESSID cookie and later rewrite it in browser and PicoUsers session got lost. It works under http, as php-crud-api was defined as https, so for browser, it was CORS situation, and no cookie was set.
I already made a ticket to php-crud-api and it is already solved: mevdschee/php-crud-api#600
Here also, perhaps You should consider to set different session_name to avoid session conflicts. It could by hard-coded 'PicoUsers' or from configuration.