Will this work properly with heavy load?
Posted: Fri Jan 20, 2006 12:00 pm
After reading more then my mind can handle over the past
few months about how to and why to create a
Challenge/Response type of User Auth system
I think I have properly created a way to validate Session Data.
I am still working on cookie code, so below is just how I think
I will handle Session Validation.
It works like this...
User Logs in, Session created as SHA1/Random value.
Session Data store in SQL in the User Table and in
a second seperate table.
The second table, holds the user id and the session value
The second table session value must always match the
User Table session value. If not, then user forced to log in.
On each page load, the Session is compared between the
two tables. If successful, then the correct session is deleted
and a new session created. The new session is then checked on
next page load... and it just continues until they log out or close browser.
My question is..... with the current code does anyone see
potential conflicts if site has 10, 50, 100+ users at once and
all being checked and updated on each page load?
few months about how to and why to create a
Challenge/Response type of User Auth system
I think I have properly created a way to validate Session Data.
I am still working on cookie code, so below is just how I think
I will handle Session Validation.
It works like this...
User Logs in, Session created as SHA1/Random value.
Session Data store in SQL in the User Table and in
a second seperate table.
The second table, holds the user id and the session value
The second table session value must always match the
User Table session value. If not, then user forced to log in.
On each page load, the Session is compared between the
two tables. If successful, then the correct session is deleted
and a new session created. The new session is then checked on
next page load... and it just continues until they log out or close browser.
My question is..... with the current code does anyone see
potential conflicts if site has 10, 50, 100+ users at once and
all being checked and updated on each page load?
Code: Select all
function session_anti_theft(){
//We first check the sql table created purely
//To hold the correct session value with the user id number
//This must ALWAYS match the session inserted in the USERS table
//If not, then we can assume its not the real user, or they
//Have opened a new browser and need to re-login!
$sql = "SELECT * FROM vf_news_user_sess WHERE userid=$_SESSION[userid]";
$query = mysql_query($sql);
while($row = mysql_fetch_array($query))
{ $use_id_ses_check = $row['correct_session']; }
if ($use_id_ses_check != $_SESSION['current_online'])
{
//Create default session values for non-logged in users
//And force to login page since they are not logged in
session_login_set();
}else{
//Both tables match same session.
//Lets now destroy the matching session
//And create a new session to check against
//On next page load
unset ($_SESSION['current_online']);
$mnew = sha1(uniqid(rand(), true));
$_SESSION['current_online'] = $mnew;
//Great! New session created
//Lets now go ahead and insert new session info
//Into both the user's table and the matching session table
$query="UPDATE vf_news_users SET session='$mnew' WHERE userid='$_SESSION[userid]'";
mysql_query($query);
$lquery="UPDATE vf_news_user_sess SET correct_session='$mnew' WHERE userid='$_SESSION[userid]'";
mysql_query($lquery);
}
}