The best way to Login/Logoff users...HOW

Anon

I'm about to write an aplication that has to have GOOD LOGIN/LOGOFF mechanism.... I heared about session IDs and cookies combined all together...
Is it the best way to secure a website???

what do You think... maybe you know better way...

Where to find code that uses sesssion id's???

Should session Id's be generated randomly for every user... and even for the same user diferrent id's when he tryies to login again for example in an hour...

Should session Id's be made obsolete???
Why to use cookies with session id's...
How long should old session id's be kept in database?

THX a lot

nashirak

Yes sessions are a good way to log on and off... most professional website do this:

If by secure you mean 100% secure: No, but then there really isnt a way to do that you might try Apache SSL with sessions for a bit more security (if you are passing sensitive information back and forth ie credit card)

Code for sessions can be found at

http://www.php.net/manual/en/ref.session.php

http://www.phpbuilder.com/snippet/download.php?type=snippet&id=293

Well generating them if you use the session_start() and session_register() automatically creates a hash (user ID for you), setting a time out would be a good idea.

Should session ID's be made absolete... well, PHP does a good job of creating session IDs so you will never get 2 of the same IDs so you dont have to make them absolete.

Cookies are the best thing around for "tracking" users... since the HTTP protocol is a "give you info and forget you" protocol, cookies do the best job of keeping track of you: other methods would include some kind of string in your header (ex http://www.site.com?id=3dfo4995kf) or make a hidden field with the session id in it

If you let PHP determine session IDs then you wont have to worry about the last part

I could be totally wrong on some of this but... these are my thought on Sessions 🙂

badman

hello

most of what you have said here is correct!!

i have used sessions in combination with mysql database.

i am writing session id to a table alongwith login_id and checking if both are present , in every page.

this is sufficiently secure way in my opinion, i am not showing the session id in the address bar at all, so users hav eno idea about what all things i am passing.

try it'if needed i will help you!
Cheers!

Anon

how to compare session id? with one kept in database and generated randomly when user logs on???

should I let those users in??? What to do then??? how to check session id???

Anon

how to compare session id? with one kept in database and generated randomly when user logs on???

should I let those users in??? What to do then??? how to check session id???

badman

i am assuming you know how to start and register session variables.If not refer php manual under session handling functions or read some articles at this site or devshed.com
.
steps to do:
1. the moment you start a session php assigns a hash which is available in your script in $PHPSESSID( echoing it will show you the id)

enable the option --enable-trans-sid when compiling php (see php.ini)
doing this will save you the trouble of appending url with session id.if not, then add <?SID?>at end of every url(hrefs) where session support is needed.
start a session in all your pages where you want and this session id is available, therefore if you have the same session id in combination with login id, it very much means that its the same user!
create a table in mysql to store login id and $PHPSESSID and keep checking in all pages where needed.

this shud be clear enough i hope.cheers!

Przemek wrote:

how to compare session id? with one kept in database and generated randomly when user logs on???

should I let those users in??? What to do then??? how to check session id???