Index: branches/5.0.x/core/kernel/session/session.php
===================================================================
diff -u -N -r12869 -r12898
--- branches/5.0.x/core/kernel/session/session.php	(.../session.php)	(revision 12869)
+++ branches/5.0.x/core/kernel/session/session.php	(.../session.php)	(revision 12898)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: session.php 12869 2009-11-03 13:58:26Z alex $
+* @version	$Id: session.php 12898 2009-11-11 19:11:30Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -171,7 +171,7 @@
 		$query = ' DELETE FROM '.$this->SessionDataTable.' WHERE '.$this->IDField.' = '.$this->Conn->qstr($session->SID);
 		$this->Conn->Query($query);
 
-		$this->OriginalData = Array();
+		$this->DirectVars = $this->ChangedDirectVars = $this->OriginalData = Array();
 	}
 
 	function UpdateSession(&$session, $timeout=0)
@@ -503,6 +503,12 @@
 	 */
 	var $OptionalData = Array ();
 
+	/**
+	 * Session expiration mark
+	 *
+	 * @var bool
+	 */
+	var $expired = false;
 
 	function Session($mode = smAUTO)
 	{
@@ -595,10 +601,9 @@
 			return ;
 		}
 
-		$expired_sids = $this->DeleteExpired();
-		$my_sid_expired = in_array($this->CachedSID, $expired_sids);
+		$this->DeleteExpired();
 
-		if ( ($expired_sids && $my_sid_expired) || ($this->CachedSID && !$this->_fromGet && !$this->SessionSet) ) {
+		if ($this->expired || ($this->CachedSID && !$this->_fromGet && !$this->SessionSet)) {
 			$this->RemoveSessionCookie();
 			// true was here to force new session creation, but I (kostja) used
 			// RemoveCookie a line above, to avoid redirect loop with expired sid
@@ -608,6 +613,7 @@
 
 			// case #1: I've OR other site visitor expired my session
 			// case #2: I have no session in database, but SID is present
+			$this->expired = false;
 			$expire_event = new kEvent('u:OnSessionExpire');
 			$this->Application->HandleEvent($expire_event);
 		}
@@ -689,6 +695,13 @@
 	 */
 	function SetCookie($name, $value, $expires = null)
 	{
+		if (isset($expires) && $expires < adodb_mktime()) {
+			unset($this->Application->HttpQuery->Cookie[$name]);
+		}
+		else {
+			$this->Application->HttpQuery->Cookie[$name] = $value;
+		}
+
 		setcookie($name, $value, $expires, $this->CookiePath, $this->CookieDomain, $this->CookieSecure);
 	}
 
@@ -718,8 +731,13 @@
 
 			// If session has expired
 			if ($this->Expiration < adodb_mktime()) {
+				// when expired session is loaded, then SID is
+				// not assigned, but used in Destroy method
+				$this->SID = $sid;
 				$this->Destroy();
 
+				$this->expired = true;
+
 				// when Destory methods calls SetSession inside and new session get created
 				return $this->SessionSet;
 			}
@@ -729,6 +747,10 @@
 		}
 		else {
 			// fake or deleted due to expiration SID
+			if (!$this->_fromGet) {
+				$this->expired = true;
+			}
+
 			return false;
 		}
 	}