1. Why I'm able to reuse the session token even if i've destroyed them ?
I've tested this, and indeed, after destroying a session I can restore the session, after which it gives me the same deposit address. It resets the timer to the full 48 hours though.
I haven't tested this with a funded session, I don't dare to destroy that session just to test it.
hmm... weird, I have completely a different experience awhile ago
though it wasn't
destroyed but
expired with no deposit yet, then I tried to restore with session token
what I get with the same session token url is showing a different deposit address.
have you tried (hard) reloading the page? could it be just displaying the old cache from the browser?