Page 1 of 2
Creating database sessions
Posted: Thu Jan 18, 2007 9:38 am
by kaisellgren
Hi,
I would like to know the benefits of database sessions comparing to built in sessions. Built in sessions need cookies enabled on visitor's browser so that's the first benefit.
Also, any goodtutorials on creating database sessions? I need to create sessions for my application without needing to have cookies enabled on web browser.
Thank you.
Re: Creating database sessions
Posted: Thu Jan 18, 2007 9:50 am
by pickle
kaisellgren wrote:I need to create sessions for my application without needing to have cookies enabled on web browser.
You can't. HTTP is stateless, which means that once I get my file, Apache/IIS/whatever your using for a webserver forgets about me. There is no way for it to know that a subsequent file request is from the same person. That's where sessions come in & work behind the scenes in your code - to remember who is who.
I use database sessions personally, but I'm not sure if I can think of any advantages to one over the other. I guess there's less code to write for using built in sessions.
Posted: Thu Jan 18, 2007 9:55 am
by kaisellgren
Thanks for your comments.
Can you give me any plain code (.zip?) of script that uses database sessions?
Posted: Thu Jan 18, 2007 10:06 am
by pickle
Heh. No
This board (or at least the people I know on it) prides itself with encouraging members to help themselves first. If you want, I can outline the theory behind using database sessions, but I'm not going to do your work for you

Posted: Thu Jan 18, 2007 10:11 am
by kaisellgren
Heh, that's fine.
So, firstly I need to create new table into MySQL database:
session_id INT NOT NULL AUTO_INCREMENT,
Hmm, what else I need to add...
But what about the realtiming ? How do I know when user leaves? Do I just make the session to outdated if there has been more than 5minutes past last click on somewhere?
Re: Creating database sessions
Posted: Thu Jan 18, 2007 10:20 am
by Mordred
pickle wrote:kaisellgren wrote:I need to create sessions for my application without needing to have cookies enabled on web browser.
You can't.
Yes you can, by passing the session id as a get or post variable.
kaisellgren, storing sessions in file or database has no connection on how you identify a user (by session id passed in a cookie, or get/post). Read the chapter on sessions in the manual, it's pretty thorough and will answer both topics of session storage and session id-s.
Posted: Thu Jan 18, 2007 10:46 am
by pickle
@~Mordred - Well, technically that's true. I guess I spoke in error. However, putting it as a GET variable in the URL is unsecure if someone happens to walk by the user's computer. Putting it in POST is do-able, but a pain in the butt - impractical at best (in my opinion).
@~kaisellgren - The minimum you need is the session id. In my implementation, I also associate the username with the session id. My implementation was built before I got on the job though, so I'm not sure why it's stored. The time, as you imagined, is also important. We have a 20 minute time out where I work. On every page load that uses the sessions, the `last updated` field is checked & if it's within the last 20 minutes, the page continues. The 'last updated' field is then updated to now. If the `last updated` field is older than 20 minutes, the user needs to re-authenticate.
Make sense?
Posted: Thu Jan 18, 2007 11:05 am
by kaisellgren
Yes makes a lot sense.
session_id INT NOT NULL AUTO_INCREMENT
username INT NOT NULL DEFAULT '1'
last_updated INT NOT NULL DEFAULT '0'
When user submits POST login and the code are correct, it adds new row into the above table with username and time(). Whenever user request a page, the table will be looked for username, if username found and the time() < last_updated+20*60 -> user has still session. If the time is too old, user needs re-authendication. ?
Posted: Thu Jan 18, 2007 12:42 pm
by pickle
You need to keep track of the session id as well. Otherwise, someone can easily hijack a session as long as they know the username. Making the session id a random string will make that much more difficult. So whenever a user requests a page, the table should be checked for the session id, not just the username.
You also need to handle the situation where someone requests a page but doesn't have a valid session period - not just an expired one.
Also, it would probably be better to use either
strtotime() or MySQL date functions to add the 20 minutes, rather than
+ 20 * 60. Both PHP & MySQL will take care of daylight saving time & leap years & all that for you.
Posted: Thu Jan 18, 2007 2:03 pm
by kaisellgren
id INT NOT NULL AUTO_INCREMENT
session_id NOT NULL DEFAULT '0'
username INT NOT NULL DEFAULT '1'
last_updated INT NOT NULL DEFAULT '0'
Do I put the information on the url or what should I do?
Like: index.php?psi=5834053945&username=pickle ?
And oh yeah, I know how to handle with times. My time example 20*60 was just a quick sample demonstration.
Posted: Thu Jan 18, 2007 2:05 pm
by pickle
Look into setting cookies or sessions in PHP.
Posted: Thu Jan 18, 2007 3:21 pm
by feyd
Useful Posts may be of interest.
Posted: Fri Jan 19, 2007 2:12 am
by kaisellgren
Thanks. Two good threads there

Posted: Fri Jan 19, 2007 2:57 am
by Mordred
However, putting it as a GET variable in the URL is unsecure if someone happens to walk by the user's computer.
@
pickle, you seriously mean that people will shoulder-browse, remember and then copy a 32-character string?

There are dangers, yes, of sessions being stolen from browser histories, caches, caching proxies, men-in-the-middle, but there is little practical difference for most of these "attacks" (though I agree that security-wise SECURE(cookie) > SECURE(POST) > SECURE(GET) )
@
kaisellgren: choose a good long random string for session_id (uniqid() maybe)
Posted: Fri Jan 19, 2007 6:53 am
by kaisellgren
Thanks I'll do that.
Before I'll start on my own session system, can any of you tell me that are there any disadvantages when using database sessions instead of built in? What do you really suggest, using $_SESSIONs or db sessions?