Hi guys,
I need a good link for a good and clear tutorial to design a Session Managment System (that uses a DB to store sessions) instead of using the PHP sessions since there are alot of security holes in it.
So, anyone can advise me for a good link, with a code example? Even if it was a complete source code (but with comments, so I can understand whats goin on) 
Before you get flamed, I should mention that the 'security holes' in PHP session management is no greater than security issues building your own session management system. PHP Sessions do not pretend to be a security system, they only maintain state and it is still up to you how secure you make them.
I am a proponent of 'rolling your own' session, but not for security reasons. You can make PHP sessions pretty secure if you set them up properly. There are some tricks you can employ 'rolling your own' that might increase their security over native sessions, but I have not fully investigated them yet and that conversation could get sidetracked in a hurry.
That being said, I have not yet seen a decent tutorial describing either 'rolling your own' session or one that addresses using native sessions properly. I'll let you know if I stumble across one.
Thanx MrAlaska 4 sharing me ur thoughts about PHP sessions.
Until now, and 4 more than 1 month, I'm trying to build just the signUp, Login pages and a code to be at the top of every page that have to be restricted. Cause I spent some time with cookies and it works fine with me, but as everybody said, "cookies isn't secure!", so I decided to go 4 sessions, and when I tried to start coding 4 sessions, I heared that PHP sessions isn't secure enough, since I read it in the PHP manual: http://www.php.net/manual/en/ref.session.php
Users may send an URL that contains an active session ID to their friends by email or users may save an URL that contains a session ID to their bookmarks and access your site with the same session ID always" !!!=
Please I need an advise for how I can I build a strong session managment system, and the rest of my site will be finished in 1 week
Back to my question, I need a good tutorial explaining in details with clear examples, how can we build our session managment system with DB?
Nothing is completely secure. I don't care what you do or try. If you need better security. Put it in yourself. I don't think that means you have to re-invent the wheel. Just add security to your sessions.
Maybe I just don't know, but how does using a database make your sessions more secure? Sounds to me that your just adding overhead.
Frag
When managing sessions w/o native functions, usually the sessions is saved with user's ip, preventing someone to use the same session id. Each time a page is invoked, the ip stored with the session is compared to user's ip.
The same could be done with native sessions though.
Whether managing your own session or using PHP sessions, the concepts are the same. When the user first logs in, you check as many environmental variables as are available to you, such as IP address, browser used, etc, and record these values either as session variables if using native sessions or in your database or files if you are managing your own. Then every page request you check the present environmental variables and make sure they match the ones the user logged in with.
As far as security goes, cookies are not a place to store anything but the session ID, whether they are placed by you or by PHP. Persistent cookies, and sometimes session cookies(not by PHP though), are often used to store more information, but not for security purposes. Anything transmitted between the client and server can be sniffed out, which means that if security is important you also need to run SSL at least for when the user logs in and for the entire session if sensitive data is being transmitted.
As far as the user bookmarking a session, that is not really a concern because old sessions should get destroyed which would force such a user to start a new session. I don't see any problem if they re-use the old session ID, they would still need to log in to gain access to member areas.
As far as tutorials, I have not seen one yet that is good enough to follow religiously, but on the other hand I have not seen many that do not have at least ONE good point. Read them all, check out their methods, and adopt the ones that seem to make the most sense.
Surprise, here's the tutorial you've been looking for...right here on this very site....