Page 1 of 1
Ideas for Auto increment value for Session ID
Posted: Tue May 11, 2004 3:49 pm
by bironeb
I need help to add a session id value into my session table when someone logs into my site. Just a number that auto increments with every entry. Does anyone know a good place I can look for ideas or does anyone have an Idea they can post some code examples?
Thanks.
Posted: Tue May 11, 2004 3:58 pm
by Weirdan
don't use auto_increment values as session ids. It's easy to guess auto_increment value and then hijack others' sessions.
Beside that, read the manual about auto_increment values (if you do use MySQL here is one:
http://dev.mysql.com/doc/mysql/en/examp ... EMENT.html)
Posted: Tue May 11, 2004 4:02 pm
by bironeb
Thanks for the link Wierdan, but you say not to use auto increment for session id? Can you educate me on a better way?
Posted: Tue May 11, 2004 4:30 pm
by Weirdan
If your "session id" is something like PHP one (eg temporary unique identifier given to user's browser to identify him throughout the site for some time period), it must be hard to guess. Autoincrement values are, obviously, easy to guess. Live example: this forum. If I could guess someone's session id I would have ability to post (change settings, passwords etc..) as if I was him.
Posted: Tue May 11, 2004 4:50 pm
by bironeb
Ok, so rather then storing an auto increment value for the session id, when I session_start() it creates a number for the session and I should store that instead?
Posted: Tue May 11, 2004 4:52 pm
by markl999
Sounds like you are talking about a custom session handler. There are 'standard' methods for storing sessions in a database. See
http://www.zend.com/zend/spotlight/code ... -wade8.php for one way or search google for 'php session handler'
Posted: Tue May 11, 2004 5:39 pm
by bironeb
Thanks Mark, this link is what I was looking for.