Jump to content

Sessions

remenissions

By remenissions
in PHP Coding Help

 Share
Go to solution Solved by remenissions,

Recommended Posts

remenissions Member

remenissions

Posted
Posted

Hey guys, I'll try to keep this short and simple. I've spent hours upon hours (probably 30-40+ over the week) trying to decide the best and most secure route to take with php sessions, I wouldn't trouble the community for help if I haven't put the time into it myself.

 

After looking around I have come across a basic thought:

 

- Check if session is already active

- Set name and Params

- Start Session

- Check user_agent\ip (I'm not pushing this so much other than letting logged in users be aware of another device)

- Regenerate Id and allow old Session id to work for a minute or so

- Write encrypted data

- Read encrypted data

 

Pretty much I'm stuck on Regenerating the Id, I see how others are doing it but i guess i'm intimidated by it.

 

Also, I have seen a few others who connect to the database to update regenerate id and update every write to store data. Performance wise is this worth it? I know if you're working with multiple servers this can benefit passing the session data, but if this is the case.

Link to comment
Share on other sites
  • Solution
remenissions Member

remenissions

Posted
  • Author
  • Solution
Posted (edited)

Spaced out what I have to help make it more clear, hope it helps with readability some.

 
class session {
 
     public static function start($name = 'Account', $limit = 0, $path = '/', $domain = null, $secure = null) {
 
          if(session_status() == PHP_SESSION_ACTIVE);
          else {
               $domain = isset($domain) ? $domain : $_SERVER['SERVER_NAME'];
               $https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
               session_name($name);
               session_set_cookie_params($limit, $path, $domain, $secure, true);
               session_start();
               if(isset($_SESSION['Account_Id'])) {
                    //Regenerate Id by 10% chance or so. 
               } 
               if(isset($_SESSION['User_Agent']) != $_SERVER['HTTP_USER_AGENT']) {
                    //Let the user know another device has accessed this session
               }
 
          }
     }
 
     public static function set($item, $data) {
          $key = Filter::key();
          $_SESSION[$item] = Filter::encrypt($data, $key);
          return $key;
     }
 
     public static function get($item, $key) {
          $data = Filter::decrypt($_SESSION[$item], $key);
          return $data;
     }
}
Edited by remenissions
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.