I think the situation I am seeing on my server is bad guys are establishing a session and then just holding trying to do a DOS. The session gets flagged as kill_me idle expecting the purge to actually drop the connection. Since the session is not truly idle, it never gets killed. I remember somewhere sessions can get set kill_me for admin reasons but I do not remember the conditions off the top of my head. I think the purge is really a cleanup and the code uses it to actually try to end the current connection.
I will have to look at the code a bit, but we may need to just have something that just drops the connection and not purge the session in some cases. If a session is idle, is there a case that you can think of that the session needs to be killed rather than just ending the connection?
