Sessions

[kmaid]

Hello all,

 

I am currently creating a login system and have been trying to understand exactly how sessions work so I can make the script secure. So far i have understood that session data is always stored on the sever and the client is given a cookie with the unique ID relating to the data stored on the server.

 

How long is this information kept for and how can you alter it on a per session basis like phpfreaks does?

 

Should I write a check to make sure that the IP address is the same as the original session starter and are there any drawbacks to doing so?

 

Thanks

Kmaid

[GKWelding]

http://www.phpfreaks.com/forums/index.php/topic,222275.0.html

[php.ajax.coder]

Sessions are normally active so long as the client doesn't close the browser but it depends on the server settings.

 

It's not a good idea to record the ip in this way because ip addresses can change on the clients side.

[kmaid]

Sorry I dont understand why it would be a bad idea. My intention was to just make their IP address as a session variable so should someone attempt to hijack the session when it compared the IP addresses it would expire the session and make them login. The only time it would be is if the user changed IP address everytime they requested the site. How often does that happen?

[CroNiX]

Some ISP's, like AOL, do change the IP address on every page request.  They are not the only ones...if you have a dynamic IP, which is most people, it can change.

[limitphp]

its funny, I'm trying to figure out the exact thing as you.

I want to create a login that is somewhat secure.  I can't afford to buy SSL, but I want the login to be logically sound and somewhat secure.

 

I have found out several things so far:

you can use sessions or cookies.

 

if you use sessions, it will create a uniqueid and store that in a cookie and tie that to a userid for a temporary period of time.  Usually about 15-25 minutes or until the user closes the browser.

If you want it to last a long time, like a week or a month, you have to write your own custom session handler.  Which, so far, as I've been reading on, is really difficult, at least for me to understand.

 

if you use cookies, the problem becomes, what do you store in the cookie to tie the info to the userid.

From what I'm reading, you don't want to store any user info.

So, that almost counts using cookies out.

 

What I think I'm going to try is using cookies, and creating a uniqueID to store in the cookie.  Store the unqiueID in a table along with the userID and an expiration date.

Then, every so often, probably everyday, delete all the entries in the table that are expired.

 

 

[limitphp]

Someone pointed out that what I'm trying to do is pretty much what using a custom session handler will do for you.

Only I have fuond that creating a custom handler seems to be more difficult than doing it myself.

[CroNiX]

This is what I use.  Of course, you need to change all of the database calls to your own as I am using my own abstraction class within it.

 

<?php
/*
CREATE TABLE `sessions` (
  `session_id` varchar(100) NOT NULL default '',
  `session_data` text NOT NULL,
  `expires` int(11) NOT NULL default '0',
  PRIMARY KEY  (`session_id`)
) TYPE=MyISAM;
*/
class SessionManager {

   	private $life_time;
private $db;
public $sessid;

   	function __construct($db_object) {
      // Read the maxlifetime setting from PHP
      	$this->life_time = get_cfg_var("session.gc_maxlifetime");
      	$this->db = $db_object;  //change to your own db method
      	// Register this object as the session handler
	session_set_save_handler( 
        	array( &$this, "open" ), 
        	array( &$this, "close" ),
        	array( &$this, "read" ),
        	array( &$this, "write"),
        	array( &$this, "destroy"),
        	array( &$this, "gc" )
      	        );
}

function open( $save_path, $session_name ) {
      	global $sess_save_path;
	$sess_save_path = $save_path;
      	// Don't need to do anything. Just return TRUE.
      	return true;
   	}

   	function close() {
      	return true;
   	}

   	function read( $id ) {
      	
   		// Set empty result
      	$data = array();
      	// Fetch session data from the selected database

      	$time = time();
      	$newid = $this->db->escape($id);  //change to your own db method
      	$this->sessid = $newid;
      	
      	$sql = "SELECT `session_data` FROM `sessions` WHERE `session_id` = '$newid' AND `expires` > $time";
      	$rs = $this->db->query($sql);      //change to your own db method                     
      	
      	if($this->db->numRows($rs) > 0) {  //change to your own db method
        	$data = $this->db->fetchAssoc($this->db->rs);
        	$this->db->closeRS();
      	}       
      	return $data;
   	}

   	function write( $id, $data ) {
      	// Build query                
      	$time = time() + $this->life_time;
      	$newid = $this->db->escape($id);  //change to your own db method
      	$this->sessid = $newid;
      	$newdata = $this->db->escape($data);  //change to your own db method
      	$sql = "REPLACE `sessions` (`session_id`,`session_data`,`expires`) VALUES('$newid', '$newdata', $time)";
      	$this->db->query($sql);//change to your own db method
      	return TRUE;
   	}

   	function destroy( $id ) {
      	// Build query
      	$newid = $this->db->escape($id);  //change to your own db method
      	$q = "DELETE FROM `sessions` WHERE `session_id` = '$newid'";
      	$this->db->query($q);  //change to your own db method
      	return TRUE;
   	}

   	function gc() {
      	// Garbage Collection
      	// Build DELETE query.  Delete all records who have passed the expiration time
      	$sql = 'DELETE FROM `sessions` WHERE `expires` < UNIX_TIMESTAMP();';
      	$this->db->query($sql);  //change to your own db method
      	// Always return TRUE
      	return true;
   	}
   	function getSessid(){
   		return $this->sessid;
   	}
}
?>

 

Then you just use sessions as you normally would with all of the regular commands, and it will use the database instead of session files on the server.