Ryan Bayne
asked on
Essential PHP Security 'Store Session Data in a MySQL Database' how to impliment
Hiya, I asked about this script previous but decide to cut it short. Change my mind again and wish to impliment and understand it fully.
I understand most of how it works within itself its all DB query and comparing the data to make sure it matches, in short anyway.
But how do I actually implement it throughout my site?
Each function has RETURN. Do I simply call the function before something like an IF statement.
And what about my existing login? Do I call the _open() function before or during the query to check the username and password.
Suppose a lot to yet understand so anything you think can help me get started understand this
be good thanks loads
I understand most of how it works within itself its all DB query and comparing the data to make sure it matches, in short anyway.
But how do I actually implement it throughout my site?
Each function has RETURN. Do I simply call the function before something like an IF statement.
And what about my existing login? Do I call the _open() function before or during the query to check the username and password.
Suppose a lot to yet understand so anything you think can help me get started understand this
be good thanks loads
A basic implementation could be:
" session id captured if/when login is successful (modification of your current login probably required)
" session id is stored in a database table (possibly with the session id and a timestamp)
" session id stored in a cookie on the client
" each time a "members" page is accessed, the session id is retrieved from the database and compared to that from the cookie
" upon a successful match the timestamp in the database is updated
" upon an unsuccessful match or the timestamp being greater than 1 hour (for example) session data is deleted from the database, cookie is deleted and user informed accordingly
" session id captured if/when login is successful (modification of your current login probably required)
" session id is stored in a database table (possibly with the session id and a timestamp)
" session id stored in a cookie on the client
" each time a "members" page is accessed, the session id is retrieved from the database and compared to that from the cookie
" upon a successful match the timestamp in the database is updated
" upon an unsuccessful match or the timestamp being greater than 1 hour (for example) session data is deleted from the database, cookie is deleted and user informed accordingly
ASKER
ray-solomon I've looked over most of that already. I have used a lot of what is suggests but I still have no idea where I put _close() and _write() and theres nothing else that seems to explain that. Basically I'm not sure how you bring it all together
Tchuki i was to try and code your steps from what I'm thinking just now I'd have some script such as what I already use for security and sessions then a function is called...
Tchuki i was to try and code your steps from what I'm thinking just now I'd have some script such as what I already use for security and sessions then a function is called...
1. session id captured if/when login is successful (modification of your current login probably required)
function _open() so my own current login checking POST data with DB data and say setting $auth = 'yes'; on success.
Then do I use _write();
2. session id is stored in a database table (possibly with the session id and a timestamp)
function _write($id, $data)
3. session id stored in a cookie on the client
My own implentation of setting the cookie
4. each time a "members" page is accessed, the session id is retrieved from the database and compared to that from the cookie
_read($id) and then compare the return with what I find in the cookie
5. upon a successful match the timestamp in the database is updated
_write($id, $data) after I'm thinking an IF statement is run regarding outcome
6. upon an unsuccessful match or the timestamp being greater than 1 hour (for example) session data is deleted from the database, cookie is deleted and user informed accordingly
part of the previous IF statement but different outcome
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
please have a look at this article,
http://www.sitepoint.com/article/users-php-sessions-mysql
they have explained how to use session with login and implement..
hope this helps
also, http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/
please have a look at this article,
http://www.sitepoint.com/article/users-php-sessions-mysql
they have explained how to use session with login and implement..
hope this helps
also, http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/
ASKER
Tchuk I understand that script better BUT the script I showed a link to doesnt seem to come into play am I right?! It looks like just another version of
session_set_save_handler(' _open',
'_close',
'_read',
'_write',
'_destroy',
'_clean');
Whatever, it looks like I could use your script as it is or atleast adapt it to my site a lot easier than what I was looking at already and I'm understanding it all more. Especially how I went to sleep for a bit lol
Thanks
session_set_save_handler('
'_close',
'_read',
'_write',
'_destroy',
'_clean');
Whatever, it looks like I could use your script as it is or atleast adapt it to my site a lot easier than what I was looking at already and I'm understanding it all more. Especially how I went to sleep for a bit lol
Thanks
http://phpsec.org/php-security-guide.pdf