Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Jul 2003
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Keeping session alive

    Instead of the default flat files, I'm using a database to store user sessions because of the extra control. Keeping the session alive in the database is easy, all I have to do is assign a value of "1" to the row's "keep_alive" column ... however that doesn't solve the problem of kick-starting a user's session again if their PHPSESSID cookie has expired.

    So far I've got the following code to work, and it involves setting a separate "keep_alive" cookie in addition to the standard session cookie:

    PHP Code:
    // Only do this if the session cookie is unset and the "keep alive"
    // cookie is set; "keep alive" contains the user's previous session id 
    // in a sha1() hash

    if(!isset($_SESSION['session_name']) && isset($_COOKIE['keep_alive']))
       {

       
    // open database class

       
    $session = new db('','','','');

       
    // pull session id from all sessions where "keep_alive" is set

       
    $session $session->rows('SELECT session_id FROM session_table WHERE keep_alive = "1"');

       
    // if $session contains database row(s)

       
    if($session != '')
          {

          
    // Do any session id's match the "keep alive" cookie

          
    $session_match 0;

          
    // Check each session_id for a match with the "keep alive" cookie

          
    foreach($session as $a)
             {

             
    // if sha1() hash of session_id is the same as value in "keep alive"
             // cookie, set new PHPSESSID containing user's previous session id,
             // set $session_match to "1", break out of foreach, reload requesting
             // page with reset session

             
    if(sha1($a->session_id) == $_COOKIE['keep_alive'])
                {
                
    setcookie('PHPSESSID',$a->session_id,0,'/');
                
    $session_match 1;
                
    header('Location: ' $request);
                break;
                }
             }
          }

       
    // if no rows were pulled from database, or if none of the database rows
       // matched the value of the "keep alive" cookie and $session_match wasn't
       // set, kill redundant cookie

       
    if($session == '' || $session_match == 0)
          {
          
    setcookie('keep_alive',0,time()-5,'/');
          }
       } 
    Does anyone foresee any potential problems with this method? It does work, but I'm not sure how secure or "foolproof" it is ... not to mention there may be an all around better way to it. All session names and cookie names will contain a hash of the user's user agent to help prevent hijacking by another user.

  • #2
    Regular Coder
    Join Date
    Jun 2003
    Location
    Silicon Forest
    Posts
    155
    Thanks
    0
    Thanked 5 Times in 5 Posts
    I am not sure why you are attempting to keep sessions alive. Sessions are meant to just last until the user closes the browser or times out after ~15 mins. If you want to keep a user logged in over multiple sessions use cookies. You can stash whatever information in there that you want and re-initialize the session variables when they visit your site again.

    A session id does not seem like the best way to keep track of users, just keep using their username as a way to keep track. I think you are making this a bit unneccesarily complex.

    Explain to me why you feel its neccesary to keep users on the same PHP session id every time, I bet you probably have a better reason that I am just not thinking of.
    Last edited by CrzySdrs; 09-10-2005 at 01:38 AM.
    Whats the point of a signature?

  • #3
    New Coder
    Join Date
    Jul 2003
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I want to keep cookies to a minimum, that's all. I could really easily do all of this using a few cookies, but I've sometimes had problems with security when using them.

    I'm sure you're right, I'll just keep playing around.

  • #4
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well the PHPSESSID is set in a cookie...

    Anyway, take a look here: http://uk2.php.net/manual/en/ref.session.php

    Something like this may or may not work, ive never needed to do this before:

    PHP Code:
    ini_set('session.gc_maxlifetime', (60*60*24));
    ini_set('session.cookie_lifetime', (60*60*24));
    // Set the session to last for a day.. 
    But even if it does work, I would advise against it... Sessions are designed partly for keeping pages secure... The longer a session is active the more time it has to be potenially hijacked, thus crushing your security.

  • #5
    New Coder
    Join Date
    Jul 2003
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I've realised I was being dumb with the other code I'd written, so I'm going for something more simple, along the lines of what CrzySdrs suggested.

    My main problem is trying to secure it, and hashing everything so that there's less chance of another user being able to hijack the cookies/sessions.

    PHP Code:
    // Self explanatory
    session_start();

    // Create a hash of the host address and the user agent
    // Originally I hashed the IP, but user's with a changing IP might have trouble staying logged in.
    // The hash() function uses a combination of hashes and salts to really mess things up
    $hash hash(getenv('HTTP_HOST') . getenv('HTTP_USER_AGENT'));

    // $_COOKIE[$hash] keeps a unique (hopefully) and random identifying hash on each computer
    if(!isset($_COOKIE[$hash]))
       {
       
    setcookie($hash,hash(uniqid(rand(),true)),0,'/');
       
    $user_hash '';
       }
    else
       {
       
    $user_hash hash($_COOKIE[$hash] . $hash);
       }

    // $_COOKIE[$user_hash] is the "stay logged in" cookie, containing the user's ID #, and the user's unique hash
    // $_SESSION[$user_hash] is the "logged in" session
    // No usernames or passwords are stored in the cookie
    if(isset($_COOKIE[$user_hash]) && !isset($_SESSION[$user_hash]))
       {

       
    // ID # and hash are encoded and serialized in cookie ... so undo that
       
    $i = @unserialize(base64_decode($_COOKIE[$user_hash]));

       
    // Make sure the two values from the cookie are set before trying to use them
       
    $a = (isset($i[0])) ? $i[0] : '';
       
    $b = (isset($i[1])) ? $i[1] : '';

       
    // Perform query using database class
       
    $i $db->get_rows('SELECT * FROM user WHERE id = "' intval($a) . '" AND hash = "' mysql_real_escape_string($b) . '" LIMIT 1');

       
    // If database row(s) matched
       
    if(!empty($i))
          { 
          
    // Log user back in
          
    }
       else
          {
          
    // Log in failed
          
    }
       } 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •