Advanced session help/insight
Moderator: General Moderators
Advanced session help/insight
I have built my own session handler which finally gives me the ability to work with sessions as i am able to both access and view/debug the contents of them. However, one of the things i encountered, is that (no brainer) every time you closed the browser window and opened a new one, a new session id is issued. Now, could someone give me a pointer on where should i start looking to get some good cookie tutorials. I mean i need to make sure that if someone closes the browser window the session doesn't die, so i figure cookies is the only way to go. I have not worked with cookies with security issues for a while now and that is the sort of thing i am looking for. Also since now I can
would anyone suggest i issue my own session IDs, is the 32 varchar given automatically unsafe? Should i MD5 like the date and time and perhaps a part of the session id issued and then store that? Am i way too paranoid?

Question 2: relating to garbage collect, i have set up that when a sessoin is written an expiry time is issued. So i update my sessio issuing a $expiry = time() + $expiryseconds;
2 questions arise, if i set my expiry seconds to 2 days, and say the time now is 3 pm, then won't it be deleted instantly because in 2 days it will still be 2 pm
this question i think is stupid, excuse me... but i still wish to have my expiry in seconds.
what if someone is submitting a form, and the garbage collect starts off and deletes the person's form on the spot, that's not right rite?
then does that mean i should make sure that garbage collect only occurs at 4 am? what if someone from the other side of the world connects?
2 questions arise, if i set my expiry seconds to 2 days, and say the time now is 3 pm, then won't it be deleted instantly because in 2 days it will still be 2 pm
what if someone is submitting a form, and the garbage collect starts off and deletes the person's form on the spot, that's not right rite?
then does that mean i should make sure that garbage collect only occurs at 4 am? what if someone from the other side of the world connects?
Regarding question 1:
An alternative to cookies would be to log (in a database or textfile) REMOTE_ADDR, HTTP_USER_AGENT and SessionID and language for that session.
If someone opens a new window do a quick check if these values (REMOTE_ADDR, HTTP_USER_AGENT and language) of this new instance are already logged.
If that's the case, pull the old SessionID from the database or textfile.
Why all this trouble? Well, cookies are just too unreliable to my mind.
An alternative to cookies would be to log (in a database or textfile) REMOTE_ADDR, HTTP_USER_AGENT and SessionID and language for that session.
If someone opens a new window do a quick check if these values (REMOTE_ADDR, HTTP_USER_AGENT and language) of this new instance are already logged.
If that's the case, pull the old SessionID from the database or textfile.
Why all this trouble? Well, cookies are just too unreliable to my mind.
patrikG's advice only helps when opening a new window, not when the user closes the window and returns. "Persistent" login, across sessions is normally implemented via cookies. While you could store the REMOTE_ADDR, etc in the database and check across session, you have absolutely NO good way of dealing with dialups or other machines on changing IPs under such a method.
This is the place where a cookie makes sense. Roughly speaking a "good" cookie format would likely be
identifier+expirationDate+MD5(identifier+expirationDate+ServerSecret)
Where identifier = a "persistent session identifier", a username may or may not be sufficient depending on how you handle login from multiple computers by the same user (such as home and work)
expirationDate should be a full date after which time the cookie is invlaid, not just a number of seconds remaining.
ServerSecret is some secret phrase known only on the server, protected as you protect your database password.
'+' represetnts string concatenation with some deliminator that will not appear in any of the components.
The "payload" (id+date) is MAC'd using MD5 and then prepended using the same deliminator to allow you to detect tampering with any component of the payload.
This is the place where a cookie makes sense. Roughly speaking a "good" cookie format would likely be
identifier+expirationDate+MD5(identifier+expirationDate+ServerSecret)
Where identifier = a "persistent session identifier", a username may or may not be sufficient depending on how you handle login from multiple computers by the same user (such as home and work)
expirationDate should be a full date after which time the cookie is invlaid, not just a number of seconds remaining.
ServerSecret is some secret phrase known only on the server, protected as you protect your database password.
'+' represetnts string concatenation with some deliminator that will not appear in any of the components.
The "payload" (id+date) is MAC'd using MD5 and then prepended using the same deliminator to allow you to detect tampering with any component of the payload.
For more details/ examples and links to non-PHP specific cookie advice see a thread of mine from last fall.
viewtopic.php?t=3190
viewtopic.php?t=3190
As described by the manual, the default garbage collection is to run the garbage collector on every page request (probability=1) and to cleans sessions that are older than 1440 secods or 24 minutes since the last time that session was touched. The GC is run after loading the current page, so if a user requests a session and its 30 minutes old, but hasn't been GC'd then it will still work and have another 24 minutes added to it. So if you have a low use site without simultaneous sessions the GC expire count can be highly variable. However, many OS's have somewhat flaky support so it doesn't always work as promised.
There's a lot of notes about GC times in the interactive docs portion of the manual at http://www.php.net/session includeing one rule-based method for mimic-ing the default with a database rule, should your database support it.
There's a lot of notes about GC times in the interactive docs portion of the manual at http://www.php.net/session includeing one rule-based method for mimic-ing the default with a database rule, should your database support it.