Jump to content

Session Id Implementation


tal

Recommended Posts

hello peoplei need some help with session id implementationi have a site were i need to log in users after log in, i identify them by cookies (unique user id only)now i want to add a session id to the cookie, so no saved cookie could be used in the future, or even after the next page request what i want to do goes like this 1- i have a function that gives the session id - lets say adds one each time to the current session id 2- when the user logs in for the first time he gets the session id of 1, and that session id is saved in the database, under the user unique user id 3- when he asks for a new page, his session id (1) is read from the cookie, then checked for a match with the DBif there is a match the function add one to his session id in the DB, gives him a new cookie, and the requested pageif not he is sent back to the log in page and his cookie is deleted4-next time the user logs in he will get the session id from the DB+1so my questions are first am i doing it right ?is there an easier way of creating a session id ?do you have any suggestions for how to session implementation ?Thank you for your attentionTal

Link to comment
Share on other sites

It sounds like you're duplicating what sessions does automatically. session_start() creates a session_id, and most of the time you do not need to know what it is. PHP reads it in the cookie string and correlates it with its internal database to read/write values to your $_SESSION array. I know that the session ID is stored as a cookie, but I never think of it that way, since I don't use it that way. And I sure don't store logins in my own database. Even flood control data can be stored in the $_SESSION array.Are you trying to do something unusual?

Link to comment
Share on other sites

no nothing unusualbut it looks like, i am duplicating the session_start behavior what i want to do, is to prevent some "attacker" from getting a user's login cookie and so bypassing the login page by asking a "private user space" page with out the need to get a login cookie, that is why the session idea came to my mind (there is no data i need to save about the specific user)so will session function by php do that the best ?will it verify that no "old" cookie is presented to the server, to gain access to the "private user space" ?-------------------------------you write "I don't store logins in my own database" how come ?because you dont have a use of it or because there is a better way of doing a "private per user space" ?thank youTal

Link to comment
Share on other sites

"I sure don't store logins in my own database . . ." I mean I don't track who's logged in or when they logged out. I do of course keep a database of users and passwords.The PHP session mechanism does everything you'll probably want. A session in progress gets rejuvenated every time you call session_start(). If that doesn't happen after a set period of time (20-50 min) then the session expires, and scripts called by the user no longer have access to session data.You should build a logout procedure into your pages for users in shared or open environments. That and the expiration process should keep out the bad guys.Here's some stuff I posted for someone yesterday: http://w3schools.invisionzone.com/index.ph...mp;#entry155500

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...