I'm new to this forum & this is my first post. Most of the time I muddle through & solve my own problems, but on this occasion I'd like the advice of others to make sure what I'm doing is OK & to ask a question.
I run an e-commerce site, all hand built, no off-the-shelf products used. Recently I had a few visitors complain that their baskets were getting emptied unexplainably. In this case, it suggests to me that their session id is expiring, but it seems from what they say it happens after only 1 or two mins of inactivity (not the usual 24 mins php default)
On the site I generate my own session id using a home-brew encryption formula.
Basically its something similar to this;
Code: Select all
$_SESSION['user']=md5($browser_id.$secret_phrase.session_id());This session identifies the contents of the users basket, which is saved into a mysql basket table.
Two questions basically,
1) Do you think my user session is sufficiently secure in its encryption to protect against hijacking.
2) Regarding the session expiring, my guess is that its expiring after 24 mins because its not being refreshed each time a page loads. It may seem to the user that its only 1-2 mins of inactivity, but in reality its 24 mins since they first came to the website.
I'm unclear on this point so please can you confirm. Do I need to constantly update the session like this?
Code: Select all
if(!empty($_SESSION['user'])){
$_SESSION['user']=$_SESSION['user'];
}Many thanks for your input.