is this the correct way to go about doing it?
1. create a session and grab the session ID
2. this session ID is already a MD5 hash but I MD5 it again (dunno why it's just my thing).
3. get I.P of user and MD5 it
4. store the encrypted session ID and encrypted I.P in temp table in database
5. create a cookie on the client machine and store their encrypted session ID and encrypted I.P.
6. check details from the cookie against details in the database if they match bob's your aunty.
How would records get deleted from the temp database, if I have no access to cron jobs?
any ideas?
session authentication with cookie and ip check
Moderator: General Moderators
1. start session.
2a. if new session, add md5 of remote_addr + user_agent to session vars (md5 is not really needed, but you do get a nice 32char string)
2b. if existing session, check that md5 to current input. if they match, bob's your uncle (last time I checked that is...)
if you do want to keep session stuff in a database, use a timestamp field in that table. everytime you update a row, that field get's updates automagically (read the docs), and run a delete query once in a while that deletes everything that's more than a day old or so...
example:
if you want to add persistent logins for your users, add a second cookie, with a md5 hash of their user_agent, user_id + your_secret_string as it's value, plus maybe their userid attached, eg:
if you want real security, use ssl...
Sjon.
2a. if new session, add md5 of remote_addr + user_agent to session vars (md5 is not really needed, but you do get a nice 32char string)
2b. if existing session, check that md5 to current input. if they match, bob's your uncle (last time I checked that is...)
if you do want to keep session stuff in a database, use a timestamp field in that table. everytime you update a row, that field get's updates automagically (read the docs), and run a delete query once in a while that deletes everything that's more than a day old or so...
example:
Code: Select all
<?php
if (time() % 7 == 0) {
mysql_query('DELETE FROM table WHERE ts_field < DATE_SUB(NOW(), INTERVAL 7 DAY)');
}
?>Code: Select all
<?php
if ($persistent) {
$hash = md5($_SERVER['HTTP_USER_AGENT'] . $user_id . 'hg94h4$%dg');
$hash .= ':' . $user_id. ':' . time();
setcookie('sid_p', $hash, time()+$lifetime, '/');
}
// to retrieve
list($hash, $uid, $lastlogin) = explode(':', $_COOKIE['sid_p']);
?>Sjon.
When storing the IP address (md5 or not), isn't this causing problems for AOL users accessing your site?
Unfortunately, AOL is still extremely popular among users and, from what I understand, bounce across many different proxies.
A fairly obvious problem would be that AOL users, and possibly other multiple-proxy users, will keep getting logged out of the site unintentionally.
Am I mistaken?
Unfortunately, AOL is still extremely popular among users and, from what I understand, bounce across many different proxies.
A fairly obvious problem would be that AOL users, and possibly other multiple-proxy users, will keep getting logged out of the site unintentionally.
Am I mistaken?