When a user connects to Xoops, a new record is placed into the (xoops_)session table in the Xoops database. When a user logs in, a second record is entered into the session table. Since the first record's session data has "protector" session variables, I thought that your Protector module was making the entry. Given your response, I now have to assume that the Xoops core is making the entry, and when the login has been completed, a second entry for the same user session is then placed into the session table.

There should be only one entry per session... and it needs to be deleted at some point, which it is not. So, I guess there are multiple core bugs that are causing the creation the two records and their lack of deletion... so I will start searching through the core for the problem.

Since you are worried about security, the dual session records makes it possible for someone to hook into a Xoops system even though there has been a logout. I'm not sure of the specific cases, but I've been able to trigger the problem with some frequency. So peoples' concerns about not logging off are VERY VALID and IMPORTANT. There is a hole in the 2.0.16 version.

Thanks.