Creating database sessions
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Creating database sessions
Hi,
I would like to know the benefits of database sessions comparing to built in sessions. Built in sessions need cookies enabled on visitor's browser so that's the first benefit.
Also, any goodtutorials on creating database sessions? I need to create sessions for my application without needing to have cookies enabled on web browser.
Thank you.
I would like to know the benefits of database sessions comparing to built in sessions. Built in sessions need cookies enabled on visitor's browser so that's the first benefit.
Also, any goodtutorials on creating database sessions? I need to create sessions for my application without needing to have cookies enabled on web browser.
Thank you.
Re: Creating database sessions
You can't. HTTP is stateless, which means that once I get my file, Apache/IIS/whatever your using for a webserver forgets about me. There is no way for it to know that a subsequent file request is from the same person. That's where sessions come in & work behind the scenes in your code - to remember who is who.kaisellgren wrote:I need to create sessions for my application without needing to have cookies enabled on web browser.
I use database sessions personally, but I'm not sure if I can think of any advantages to one over the other. I guess there's less code to write for using built in sessions.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Heh. No 
This board (or at least the people I know on it) prides itself with encouraging members to help themselves first. If you want, I can outline the theory behind using database sessions, but I'm not going to do your work for you
This board (or at least the people I know on it) prides itself with encouraging members to help themselves first. If you want, I can outline the theory behind using database sessions, but I'm not going to do your work for you
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Heh, that's fine.
So, firstly I need to create new table into MySQL database:
session_id INT NOT NULL AUTO_INCREMENT,
Hmm, what else I need to add...
But what about the realtiming ? How do I know when user leaves? Do I just make the session to outdated if there has been more than 5minutes past last click on somewhere?
So, firstly I need to create new table into MySQL database:
session_id INT NOT NULL AUTO_INCREMENT,
Hmm, what else I need to add...
But what about the realtiming ? How do I know when user leaves? Do I just make the session to outdated if there has been more than 5minutes past last click on somewhere?
Re: Creating database sessions
Yes you can, by passing the session id as a get or post variable.pickle wrote:You can't.kaisellgren wrote:I need to create sessions for my application without needing to have cookies enabled on web browser.
kaisellgren, storing sessions in file or database has no connection on how you identify a user (by session id passed in a cookie, or get/post). Read the chapter on sessions in the manual, it's pretty thorough and will answer both topics of session storage and session id-s.
@~Mordred - Well, technically that's true. I guess I spoke in error. However, putting it as a GET variable in the URL is unsecure if someone happens to walk by the user's computer. Putting it in POST is do-able, but a pain in the butt - impractical at best (in my opinion).
@~kaisellgren - The minimum you need is the session id. In my implementation, I also associate the username with the session id. My implementation was built before I got on the job though, so I'm not sure why it's stored. The time, as you imagined, is also important. We have a 20 minute time out where I work. On every page load that uses the sessions, the `last updated` field is checked & if it's within the last 20 minutes, the page continues. The 'last updated' field is then updated to now. If the `last updated` field is older than 20 minutes, the user needs to re-authenticate.
Make sense?
@~kaisellgren - The minimum you need is the session id. In my implementation, I also associate the username with the session id. My implementation was built before I got on the job though, so I'm not sure why it's stored. The time, as you imagined, is also important. We have a 20 minute time out where I work. On every page load that uses the sessions, the `last updated` field is checked & if it's within the last 20 minutes, the page continues. The 'last updated' field is then updated to now. If the `last updated` field is older than 20 minutes, the user needs to re-authenticate.
Make sense?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Yes makes a lot sense.
session_id INT NOT NULL AUTO_INCREMENT
username INT NOT NULL DEFAULT '1'
last_updated INT NOT NULL DEFAULT '0'
When user submits POST login and the code are correct, it adds new row into the above table with username and time(). Whenever user request a page, the table will be looked for username, if username found and the time() < last_updated+20*60 -> user has still session. If the time is too old, user needs re-authendication. ?
session_id INT NOT NULL AUTO_INCREMENT
username INT NOT NULL DEFAULT '1'
last_updated INT NOT NULL DEFAULT '0'
When user submits POST login and the code are correct, it adds new row into the above table with username and time(). Whenever user request a page, the table will be looked for username, if username found and the time() < last_updated+20*60 -> user has still session. If the time is too old, user needs re-authendication. ?
You need to keep track of the session id as well. Otherwise, someone can easily hijack a session as long as they know the username. Making the session id a random string will make that much more difficult. So whenever a user requests a page, the table should be checked for the session id, not just the username.
You also need to handle the situation where someone requests a page but doesn't have a valid session period - not just an expired one.
Also, it would probably be better to use either strtotime() or MySQL date functions to add the 20 minutes, rather than + 20 * 60. Both PHP & MySQL will take care of daylight saving time & leap years & all that for you.
You also need to handle the situation where someone requests a page but doesn't have a valid session period - not just an expired one.
Also, it would probably be better to use either strtotime() or MySQL date functions to add the 20 minutes, rather than + 20 * 60. Both PHP & MySQL will take care of daylight saving time & leap years & all that for you.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
id INT NOT NULL AUTO_INCREMENT
session_id NOT NULL DEFAULT '0'
username INT NOT NULL DEFAULT '1'
last_updated INT NOT NULL DEFAULT '0'
Do I put the information on the url or what should I do?
Like: index.php?psi=5834053945&username=pickle ?
And oh yeah, I know how to handle with times. My time example 20*60 was just a quick sample demonstration.
session_id NOT NULL DEFAULT '0'
username INT NOT NULL DEFAULT '1'
last_updated INT NOT NULL DEFAULT '0'
Do I put the information on the url or what should I do?
Like: index.php?psi=5834053945&username=pickle ?
And oh yeah, I know how to handle with times. My time example 20*60 was just a quick sample demonstration.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Useful Posts may be of interest.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Thanks. Two good threads therefeyd wrote:Useful Posts may be of interest.
@pickle, you seriously mean that people will shoulder-browse, remember and then copy a 32-character string?However, putting it as a GET variable in the URL is unsecure if someone happens to walk by the user's computer.
There are dangers, yes, of sessions being stolen from browser histories, caches, caching proxies, men-in-the-middle, but there is little practical difference for most of these "attacks" (though I agree that security-wise SECURE(cookie) > SECURE(POST) > SECURE(GET) )
@kaisellgren: choose a good long random string for session_id (uniqid() maybe)
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.