Session encryption necessary?
Moderator: General Moderators
-
php_wiz_kid
- Forum Contributor
- Posts: 181
- Joined: Tue Jun 24, 2003 7:33 pm
Session encryption necessary?
I have my session temporary files hashed in MD5, but since it's stored on the server I was wondering if it is really necessary to do that.
-
php_wiz_kid
- Forum Contributor
- Posts: 181
- Joined: Tue Jun 24, 2003 7:33 pm
well prsonally what I do is:
1. create a session and grab the session ID
2. this session ID is already a MD5 hash but I MD5 it again (dunno why it's just my thing).
3. get I.P of user and MD5 it
4. store the encrypted session ID and encrypted I.P in database
5. create a cookie on the client machine and store their encrypted session ID & encrypted I.P.
6. check details from the cookie against details in the database if they match bob's your aunty.
1. create a session and grab the session ID
2. this session ID is already a MD5 hash but I MD5 it again (dunno why it's just my thing).
3. get I.P of user and MD5 it
4. store the encrypted session ID and encrypted I.P in database
5. create a cookie on the client machine and store their encrypted session ID & encrypted I.P.
6. check details from the cookie against details in the database if they match bob's your aunty.
-
php_wiz_kid
- Forum Contributor
- Posts: 181
- Joined: Tue Jun 24, 2003 7:33 pm
the i.p will be the same as we are storing this in the cookie. If the cookie does not exist then do steps 1-6 that I just mentioned...
edit: you can set an expiry time on the cookie and delete the temporary records for that user when they logout but this will leave idle records because not everyone logs out of things...
If you have access to cron jobs on your server then you can set one up on the server to automatically remove any records from the Database that are more than a week old or something this time would ideally be the same as the expiry time on the cookie, so that the cookie and the temporary records are deleted at the same time.
sorry forgot to add this
edit: you can set an expiry time on the cookie and delete the temporary records for that user when they logout but this will leave idle records because not everyone logs out of things...
If you have access to cron jobs on your server then you can set one up on the server to automatically remove any records from the Database that are more than a week old or something this time would ideally be the same as the expiry time on the cookie, so that the cookie and the temporary records are deleted at the same time.
sorry forgot to add this
-
php_wiz_kid
- Forum Contributor
- Posts: 181
- Joined: Tue Jun 24, 2003 7:33 pm