Hello,
is there a possibility to have Kirby’s session as a real session cookie, hence without expiry-date, so that it get’s deleted when the user closes the window?
Unfortunately not. If a user closes the browser window, this does not trigger an event on the server that could be used to throw away the session. This is unlike basic (non-session) cookies where the browser can decide to throw it away on the client side.
What PHP’s session implementation does is that it sets the client cookie to delete on closing the browser window, but still keeps the session file on the backend around until it expires. This is a compromise that makes it seem like the session is deleted on closing the browser window, but actually the session file is deleted much later.
So the solution depends on your use case. If it’s privacy (delete user data as soon as it’s no longer needed), I’m afraid it’s not possible in a robust way.
Workarounds could be to:
- use the
beforeunloadevent in JavaScript to manually fire an event that deletes the session (not 100% reliable) or to - set a second manual cookie that expires on closing the browser window and check for its existence before trying to access the stored session (but this again only emulates the behavior like PHP).