Jump to content

Sessions

remenissions

By remenissions
in PHP Coding Help

Recommended Posts

remenissions Member

remenissions

Posted
Posted

Hey guys, I'll try to keep this short and simple. I've spent hours upon hours (probably 30-40+ over the week) trying to decide the best and most secure route to take with php sessions, I wouldn't trouble the community for help if I haven't put the time into it myself.

 

After looking around I have come across a basic thought:

 

- Check if session is already active

- Set name and Params

- Start Session

- Check user_agent\ip (I'm not pushing this so much other than letting logged in users be aware of another device)

- Regenerate Id and allow old Session id to work for a minute or so

- Write encrypted data

- Read encrypted data

 

Pretty much I'm stuck on Regenerating the Id, I see how others are doing it but i guess i'm intimidated by it.

 

Also, I have seen a few others who connect to the database to update regenerate id and update every write to store data. Performance wise is this worth it? I know if you're working with multiple servers this can benefit passing the session data, but if this is the case.

Link to comment
https://forums.phpfreaks.com/topic/276457-sessions/
Share on other sites
remenissions Member

remenissions

Posted
  • Author
Posted

Spaced out what I have to help make it more clear, hope it helps with readability some.

 
class session {
 
     public static function start($name = 'Account', $limit = 0, $path = '/', $domain = null, $secure = null) {
 
          if(session_status() == PHP_SESSION_ACTIVE);
          else {
               $domain = isset($domain) ? $domain : $_SERVER['SERVER_NAME'];
               $https = isset($secure) ? $secure : isset($_SERVER['HTTPS']);
               session_name($name);
               session_set_cookie_params($limit, $path, $domain, $secure, true);
               session_start();
               if(isset($_SESSION['Account_Id'])) {
                    //Regenerate Id by 10% chance or so. 
               } 
               if(isset($_SESSION['User_Agent']) != $_SERVER['HTTP_USER_AGENT']) {
                    //Let the user know another device has accessed this session
               }
 
          }
     }
 
     public static function set($item, $data) {
          $key = Filter::key();
          $_SESSION[$item] = Filter::encrypt($data, $key);
          return $key;
     }
 
     public static function get($item, $key) {
          $data = Filter::decrypt($_SESSION[$item], $key);
          return $data;
     }
}
Link to comment
https://forums.phpfreaks.com/topic/276457-sessions/#findComment-1422571
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.