Page 1 of 1

Using sessions like cookies

Posted: Thu Jun 23, 2005 4:54 pm
by Atomiku
There is one thing that has been bugging me recently, Its that when my code has created a session, The session gets destroyed when the user closes the browser... I HAVE managed to find away around it, But it does have major flaws...


Basicly, My idea is to store the users IP when he/she logs in. Then every time they goto a page on my site, It checks for their ip stored on login then recreates the session.

Obviously, You can all see what could go wrong if two people have the same IP (If they are on a LAN, For instance)

So my question is... Is there any way that I can get like some unique info about the computer that the user is on then use that instead of the ip?

Thanks in advance, Matt.

Posted: Thu Jun 23, 2005 4:59 pm
by John Cartwright
Store their IP, the current time and a random value into 1 string. Then then hash that string. Store that hash in a cookie along with the IP. Insert the same information into the database.

When they return to your site, check against the cookie value to the database, making sure that the IP's are once again the same aswell as the hash.

I would recommend using feyd's sha256 found @ viewtopic.php?t=32334

Posted: Thu Jun 23, 2005 5:05 pm
by Atomiku
Wow :o That was fast
Thanks :)

Posted: Thu Jun 23, 2005 5:25 pm
by patrikG
Doesn't work for AOL users though. They have a rotating IP almost every HTTP request. Rather look into storing sessions in the database (see session_handler in the PHP manual) and save that session_id in a persitent cookie (hashed or encrypted). If you want a user to "remain logged in", store their username and session_id in their cookie (you would still want a secure login when users want to use for forums or ecommerce (see how Amazon handles it))