Managing Session
Posted: Sun Feb 24, 2008 6:10 am
Hi,
I am currently developing a website that can be accessed in mobile phone. Because not all of mobile browser doesn't support cookie, so I need to put the sessionid on every url, and that increase the filesize
.
So I make a plan to store the session ID in the database, and attach the ID of the record in every URL, i.e : index.php?sid=1, the workflow is something like this :
1. User visit the website
2. Check wheter $_GET['sid'] is exists or not, if not, store new session id, user agent/browser, and ip address into database
3. Get the record id, and set value of 'sid' variable in the url to record id (i.e. index.php?sid=1)
When the user visit the website, the system will check the 'sid' variable first, and match the criteria (useragent and ip address), if visitor's useragent and ip is same with the record in the database, system will allow the visitor to use that session id, if not, then the system create new session id.
is that secure? I never use this method before, is there any chance to hack this method?. am also want to use timestamp to record the visitor's activity, if user try to use the same 'sid' after 30mins, then the 'sid' will not usable again.
thanks.
I am currently developing a website that can be accessed in mobile phone. Because not all of mobile browser doesn't support cookie, so I need to put the sessionid on every url, and that increase the filesize
So I make a plan to store the session ID in the database, and attach the ID of the record in every URL, i.e : index.php?sid=1, the workflow is something like this :
1. User visit the website
2. Check wheter $_GET['sid'] is exists or not, if not, store new session id, user agent/browser, and ip address into database
3. Get the record id, and set value of 'sid' variable in the url to record id (i.e. index.php?sid=1)
When the user visit the website, the system will check the 'sid' variable first, and match the criteria (useragent and ip address), if visitor's useragent and ip is same with the record in the database, system will allow the visitor to use that session id, if not, then the system create new session id.
is that secure? I never use this method before, is there any chance to hack this method?. am also want to use timestamp to record the visitor's activity, if user try to use the same 'sid' after 30mins, then the 'sid' will not usable again.
thanks.