What is the "Expire all my sessions" option when I log out?
When the "Expire all my sessions" option on the Logout page (http://www.insanejournal.com/logout.bml) appears, it means there is more than one session for you in the database. There are several reasons why this may occur.
One such reason is that you are logged in on another computer. Another is that you have logged in, then you closed your browser (or it crashed), and you restarted it and logged in again less than 36 hours later.
In any case, it is unlikely that this is an indication of a security breach or an account break-in. If you are unsure, do feel free to use this option to expire all sessions, and the option will disappear for the time being.
The following explains in detail how the session handling mechanism works.
When you log in to InsaneJournal, two things happen:
1) A session is created and assigned an authentication code (authcode);
2) As part of the response to the login request, the server asks your browser to set a cookie with your username, a session number and its authcode in it. This mechanism increases security as it means your browser does not need to store the password to your account to allow you to remain logged in.
Since the browser has control over the cookies, it can expire these when it closes. Once the browser is restarted, the cookie no longer exists. However, by the nature of the World Wide Web, the InsaneJournal servers only hear from your browser when it makes a request for a page; there is no way for the InsaneJournal servers to know when you close your browser. This is why sessions on the server may still be active. This is not a security risk because, since your cookie is gone, there no longer exists any copy of the authcode that would allow anyone to use the session.
If you choose to expire your cookies when the browser closes, the sessions that are created will expire after 36 hours of inactivity. (If you chose the option to create a login that never expires, the sessions will time out after 60 days of inactivity.) However, sessions are not automatically deleted when they expire - they may remain dormant on the server, and will only be deleted when someone attempts to use them (and the server then notices that they have expired), or when you choose to delete them by way of the option on the Logout page (http://www.insanejournal.com/logout.bml).
It is therefore possible to have several dormant sessions remaining on the server that have in fact expired. Because they have expired, they are unusable and do not present a security risk.