Thanks again for the replies. I've removed the password from the session, however I'm now facing another problem: as soon as I leave the login page after logging in (the page that sets the session), PHP empties the 'session_data' column and updates the 'session_date' (the one with the current time) column. I have absolutely NO idea what's causing the problem. Cookies can be changed, so if I use cookies to keep the session data in the database intact, there's a huge security risk. Right?
Sorry for being so stupid, I'm sure there's a very simple solution for it, but I just don't even remotely know what that solution might be. Since this is the first time I'm using database sessions, it's still all very new to me.
How do you guys handle login systems? I'm not asking for code (I'm here to learn, not to steal your code ), I'm just curious whether you guys use cookies + sessions, custom sessions, sessions, etc., because creating a decent login system can't be too difficult (right?). Since I updated some of the code, here are the relevant pieces of code:
The function that writes the session to the database, called automatically by PHP (so it's not the login system that calls this function).
function drasession_write($sessionid = '', $sessiondata = '') {
global $draseim;
// Prepare the variables we need in our query
$sessionid = mysqli_real_escape_string($draseim['connection'], $sessionid);
$sessiondata = mysqli_real_escape_string($draseim['connection'], $sessiondata);
// Run a query
$result = draseim_query($draseim['connection'], "
REPLACE INTO " . db_pref . "sessions
VALUES (
'$sessionid',
'$sessiondata',
'" . $draseim['time'] . "'
)
", true, false);
// Did it actually work?
if($result == true)
return true;
else
return false;
}
This is a part of the login function, the part that sets the session.
// The user agent
$login['user_agent'] = mysqli_real_escape_string($draseim['connection'], $_SERVER['HTTP_USER_AGENT']);
// The IP address
$login['user_ip'] = addslashes($_SERVER['REMOTE_ADDR']);
// How long should we keep the session active?
$sessionlength = (!empty($_POST['draseim_forever']) ? '0' : '60');
// Set the session
$_SESSION[$setting['session_name']] = array(
'user' => $userid,
'agent' => $login['user_agent'],
'ip' => $login['user_ip'],
'sessionlength' => $sessionlength
);
Oh, to confirm that I am calling session_start();, here's all code from the header comment block to that function.
// Let's not jump the gun by accessing files directly. Index.php (which, in case you haven't noticed, is this file) is the only file that should be accessed directly
if(defined('Draseim'))
die('No. Just... no.');
else
define('Draseim', 1);
// Let's create an array
$draseim = array();
// What time is it?
$draseim['time'] = time();
// We need these files.
require 'Config.php';
require $setting['dir_resources'] . '/Start.php';
require $setting['dir_resources'] . '/Menu.php';
require $setting['dir_resources'] . '/Session.php';
require $setting['dir_apps'] . '/User.app.php';
// Define db_pref, which contains the database prefix
define('db_pref', $setting['db_pref']);
// Let's establish a connection to the database
$draseim['connection'] = draseim_connect($setting['db_server'], $setting['db_user'], $setting['db_password'], $setting['db_name']);
// Database sessions
session_set_save_handler(
'drasession_open',
'drasession_close',
'drasession_read',
'drasession_write',
'drasession_destroy',
'drasession_cleaner'
);
// Otherwise the sessions won't work
session_start();
Thanks again for your replies and help.