Jump to content

Recommended Posts

Hello all,

 

I am currently creating a login system and have been trying to understand exactly how sessions work so I can make the script secure. So far i have understood that session data is always stored on the sever and the client is given a cookie with the unique ID relating to the data stored on the server.

 

How long is this information kept for and how can you alter it on a per session basis like phpfreaks does?

 

Should I write a check to make sure that the IP address is the same as the original session starter and are there any drawbacks to doing so?

 

Thanks

Kmaid

Link to comment
https://forums.phpfreaks.com/topic/129787-sessions/
Share on other sites

Sorry I dont understand why it would be a bad idea. My intention was to just make their IP address as a session variable so should someone attempt to hijack the session when it compared the IP addresses it would expire the session and make them login. The only time it would be is if the user changed IP address everytime they requested the site. How often does that happen?

Link to comment
https://forums.phpfreaks.com/topic/129787-sessions/#findComment-672875
Share on other sites

its funny, I'm trying to figure out the exact thing as you.

I want to create a login that is somewhat secure.  I can't afford to buy SSL, but I want the login to be logically sound and somewhat secure.

 

I have found out several things so far:

you can use sessions or cookies.

 

if you use sessions, it will create a uniqueid and store that in a cookie and tie that to a userid for a temporary period of time.  Usually about 15-25 minutes or until the user closes the browser.

If you want it to last a long time, like a week or a month, you have to write your own custom session handler.  Which, so far, as I've been reading on, is really difficult, at least for me to understand.

 

if you use cookies, the problem becomes, what do you store in the cookie to tie the info to the userid.

From what I'm reading, you don't want to store any user info.

So, that almost counts using cookies out.

 

What I think I'm going to try is using cookies, and creating a uniqueID to store in the cookie.  Store the unqiueID in a table along with the userID and an expiration date.

Then, every so often, probably everyday, delete all the entries in the table that are expired.

 

 

Link to comment
https://forums.phpfreaks.com/topic/129787-sessions/#findComment-672881
Share on other sites

This is what I use.  Of course, you need to change all of the database calls to your own as I am using my own abstraction class within it.

 

<?php
/*
CREATE TABLE `sessions` (
  `session_id` varchar(100) NOT NULL default '',
  `session_data` text NOT NULL,
  `expires` int(11) NOT NULL default '0',
  PRIMARY KEY  (`session_id`)
) TYPE=MyISAM;
*/
class SessionManager {

   	private $life_time;
private $db;
public $sessid;

   	function __construct($db_object) {
      // Read the maxlifetime setting from PHP
      	$this->life_time = get_cfg_var("session.gc_maxlifetime");
      	$this->db = $db_object;  //change to your own db method
      	// Register this object as the session handler
	session_set_save_handler( 
        	array( &$this, "open" ), 
        	array( &$this, "close" ),
        	array( &$this, "read" ),
        	array( &$this, "write"),
        	array( &$this, "destroy"),
        	array( &$this, "gc" )
      	        );
}

function open( $save_path, $session_name ) {
      	global $sess_save_path;
	$sess_save_path = $save_path;
      	// Don't need to do anything. Just return TRUE.
      	return true;
   	}

   	function close() {
      	return true;
   	}

   	function read( $id ) {
      	
   		// Set empty result
      	$data = array();
      	// Fetch session data from the selected database

      	$time = time();
      	$newid = $this->db->escape($id);  //change to your own db method
      	$this->sessid = $newid;
      	
      	$sql = "SELECT `session_data` FROM `sessions` WHERE `session_id` = '$newid' AND `expires` > $time";
      	$rs = $this->db->query($sql);      //change to your own db method                     
      	
      	if($this->db->numRows($rs) > 0) {  //change to your own db method
        	$data = $this->db->fetchAssoc($this->db->rs);
        	$this->db->closeRS();
      	}       
      	return $data;
   	}

   	function write( $id, $data ) {
      	// Build query                
      	$time = time() + $this->life_time;
      	$newid = $this->db->escape($id);  //change to your own db method
      	$this->sessid = $newid;
      	$newdata = $this->db->escape($data);  //change to your own db method
      	$sql = "REPLACE `sessions` (`session_id`,`session_data`,`expires`) VALUES('$newid', '$newdata', $time)";
      	$this->db->query($sql);//change to your own db method
      	return TRUE;
   	}

   	function destroy( $id ) {
      	// Build query
      	$newid = $this->db->escape($id);  //change to your own db method
      	$q = "DELETE FROM `sessions` WHERE `session_id` = '$newid'";
      	$this->db->query($q);  //change to your own db method
      	return TRUE;
   	}

   	function gc() {
      	// Garbage Collection
      	// Build DELETE query.  Delete all records who have passed the expiration time
      	$sql = 'DELETE FROM `sessions` WHERE `expires` < UNIX_TIMESTAMP();';
      	$this->db->query($sql);  //change to your own db method
      	// Always return TRUE
      	return true;
   	}
   	function getSessid(){
   		return $this->sessid;
   	}
}
?>

 

Then you just use sessions as you normally would with all of the regular commands, and it will use the database instead of session files on the server.

Link to comment
https://forums.phpfreaks.com/topic/129787-sessions/#findComment-672895
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.