Hi Peter,
I use about same system, but instead putting ids of tables into session
variable (which is easy to guess) I use a md5( uniqid( rand(), true ) )
string and I create an enreg into online tables (similar to your session
table) with this string as primary key. I also add into session a hashed
variable with host. When I receive a request I check session variable
($_SESSION['session_id'] in your case) and also the hashed string.
For session timeout I delete the enreg from table online (session in
your case). For this I have a function which is called at a request of
any script at a resonable interval (like once 10 mins) and remove from
table online every session that passed a number of seconds (which I
defined). When a request comes with a session id, and I don't find it in
online table I say that session is expired.
I'm not saying this is the best, this is what I use.
Regards,
Andy
Peter Lauri wrote:
Hi,
I would like to get some comments about my user system.
1. A user logs in, the username and password is checked against the database
2. If correct it adds a row in my database "session" with member_id.
$_SESSION['session_id'] will be set to the mysql_insert_id().
3. To verify if someone is logged on or not, I have a function isLoggedOn()
that checks if there is $_SESSION['session_id'] and it returns the
member_id. If not logged in, the isLoggedOn() returns FALSE.
4. I user the member_id to retrive specific member information
5. To logout, I just unset $_SESSION['session_id']
Is this an ok system to continue to work on? Or is this a very weak system
that is easy to break in to?
I am thinking about setting an new variable $_SESSION['member_id'] so that I
do not need to o a query every time to get the member_id.
Thank you very much!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
