Description:
------------
Concerning Bug #43226 because it was set to 'bogus' and additional comments are not allowed.

First: I did not ask for support.

The issue I submitted is concerning the HTTP headers that the PHP function session_unregister() sends to the browser.

My suggestion was to send Cookie Expires and Cookie Max-Age together when unregistering a PHP session to make sure that even with broken proxy or browser implementations the session gets terminated.

This problem came across a broken proxy implementation that only treated the Max-Age option and ignored the Expires option and then sent the session cookie with the value 'deleted' back to the PHP application which then treated it as a valid session.

See:

https://sourceforge.net/tracker/index.php?func=detail&aid=1829098&group_id=311&atid=100311

I don't mess with computer's time but some internet users might do this and change the date to use expired software licenses. I don't know if the PHP application or PHP itself sets the cookie expires date to one year in the past. Maybe setting it to 1 January 1980 00:00 GMT is the safest way.

Bye,
Bernd