[SOLVED] Session logic

[john010117]

Since I have yet to find a good and easy-to-follow tutorial on session_set_save_handler, I am just coding my own PHP session system where it saves a user's activity throughout the site into a MySQL database. Tell me if I need any improvements to my logic.

 

Logging in

First, when a user logs in, I will first check to see that the user/pass they've provided matches the ones stored in the database. Then, I will get the PHPSESSID from that user ($_REQUEST['PHPSESSID']) and put that as a value in a cookie. Then, I will INSERT the uid (user id) and the PHPSESSID in a seperate, sessions table. I will then create a session ($_SESSION) named after the user's uid.

 

Browsing throughout the site

On all of the secure pages, I will just include the session_check.php file.

 

session_check.php

Every time a user loads the page, I will first check that the $_SESSION['uid'], and the PHPSESSID cokkie exists. Then, I will take the value of that cookie, and check it against the PHPSESSID data stored in the database. If it matches, the user may continue on. If it doesn't (or one doesn't exist), the user will be redirected to login.php.

 

So, can you make any suggestions to improve this system? Or do you have a good tut on session_set_save_handler that stores it in a database?

[roopurt18]

http://www.php.net/session_set_save_handler

Did you start here and read all of the comments?

 

Also, why are you wanting to store it in the DB?  You want data to persist across user visits to the site?

[john010117]

Yes, I've read that page and read all of the comments. The codes posted there either saves the session data to files (which I really don't want) or they don't really explain a lot. I want to be able to save sessions to a database, so I can easily view who logged in/logged out and at what time/date. Since I am more fluent with PHP/MySQL than PHP/Files, that's the route I want to take. Any suggestions?

[roopurt18]

I want to be able to save sessions to a database, so I can easily view who logged in/logged out and at what time/date.

 

For that purpose, why don't you just add a column in your users table named last_login_dt and every time a user logs in, update it to the current date / time?

 

As a general rule, you should be storing as little data as possible in your sessions and I think there are very few real reasons to save a user's session between visits to the site.

[john010117]

Right. Why didn't I think of that before? Thanks.

[roopurt18]

An extended approach if all request for your site go through a single entry point is to create a user_activity table.  In that table, store the URI of every request and attach it to the user.  Additionally, you can store any $_GET, $_POST, $_SESSION, and / or $_COOKIE data as well.

 

A good way to see how people are using your site.

 

To clarify, the benefit of this approach is not only do you know when they logged in, but you can see the order in which they browsed your site.

 

"Hmmm...how come a guest is viewing an administrator page?"

[john010117]

Right. I'll try that out. Thanks.

[steelmanronald06]

Have you given adodb a try?? http://adodb.sf.net  It is a database abstraction layer library, but it has a built in custom session handler that stores to a flat file or a database, your choice.  Pretty advanced. Also, CakePHP framework is the same way.

[john010117]

I'll check those out. Thanks.