Managing Session

[kecebongsoft]

Hi,

 

I am currently developing a website that can be accessed in mobile phone. Because not all of mobile browser doesn't support cookie, so I need to put the sessionid on every url, and that increase the filesize :-(.

 

So I make a plan to store the session ID in the database, and attach the ID of the record in every URL, i.e : index.php?sid=1, the workflow is something like this :

 

 

1. User visit the website

2. Check wheter $_GET['sid'] is exists or not, if not, store new session id, user agent/browser, and ip address into database

3. Get the record id, and set value of 'sid' variable in the url to record id (i.e. index.php?sid=1)

 

When the user visit the website, the system will check the 'sid' variable first, and match the criteria (useragent and ip address), if visitor's useragent and ip is same with the record in the database, system will allow the visitor to use that session id, if not, then the system create new session id.

 

is that secure? I never use this method before, is there any chance to hack this method?. am also want to use timestamp to record the visitor's activity, if user try to use the same 'sid' after 30mins, then the 'sid' will not usable again.

 

thanks.

[rameshfaj]

The PHP is itself responsible for managing session once u stored something in session.You donot need to store it in database and retrieve again as the database connection and query execution may make the system slower.

[kecebongsoft]

Thanks for your reply..

 

Yes, but I'm working with mobile phone's browser now, which is not supporting cookie to save the sessionid, so the only way to get the sessionid is by attaching the sessionid in the url. We don't need to use this method for developing a website for PC because PC's browsers are supporting cookie, cmiiw.

 

I need sessionid to tell PHP what session I want to access. I've read from PHP.net, session is only support 2 ways :

 

- Cookie

- URL

 

Thanks.