Ideas for Auto increment value for Session ID

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
User avatar
bironeb
Forum Commoner
Posts: 59
Joined: Thu Nov 20, 2003 12:02 pm

Ideas for Auto increment value for Session ID

Post by bironeb »

I need help to add a session id value into my session table when someone logs into my site. Just a number that auto increments with every entry. Does anyone know a good place I can look for ideas or does anyone have an Idea they can post some code examples?

Thanks.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

don't use auto_increment values as session ids. It's easy to guess auto_increment value and then hijack others' sessions.

Beside that, read the manual about auto_increment values (if you do use MySQL here is one: http://dev.mysql.com/doc/mysql/en/examp ... EMENT.html)
User avatar
bironeb
Forum Commoner
Posts: 59
Joined: Thu Nov 20, 2003 12:02 pm

Post by bironeb »

Thanks for the link Wierdan, but you say not to use auto increment for session id? Can you educate me on a better way?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

If your "session id" is something like PHP one (eg temporary unique identifier given to user's browser to identify him throughout the site for some time period), it must be hard to guess. Autoincrement values are, obviously, easy to guess. Live example: this forum. If I could guess someone's session id I would have ability to post (change settings, passwords etc..) as if I was him.
User avatar
bironeb
Forum Commoner
Posts: 59
Joined: Thu Nov 20, 2003 12:02 pm

Post by bironeb »

Ok, so rather then storing an auto increment value for the session id, when I session_start() it creates a number for the session and I should store that instead?
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Sounds like you are talking about a custom session handler. There are 'standard' methods for storing sessions in a database. See http://www.zend.com/zend/spotlight/code ... -wade8.php for one way or search google for 'php session handler'
User avatar
bironeb
Forum Commoner
Posts: 59
Joined: Thu Nov 20, 2003 12:02 pm

Post by bironeb »

Thanks Mark, this link is what I was looking for.
Post Reply