PHP Session becomes invalid?

rcbasie

Hi.
I got a problem with authentication for users on my site. The site is based on a MySQL Database, and there are 2 types of users who must be able to view different sets of data. I am planning to implement this by requiring the more privilaged users to 'log in' using a password and ID that they define themselves. Once this is done, i'd like to store the session ID variable that PHP produces (during the login sequence - if sucessful) in a temporary table and use that for authentication - ie. this session ID variable would be echo'd out to the privilaged users HTML, so that all links and forms automatically identify themselves and allow the privilaged user to access the right data.
The problem with this approach is that the access control table holding the session id could end up balooning, i need a way of deleting these values after a pre-set time, or i need to be able to tell when any particular session id becomes redundant.
Hope i have been clear in this question, if you think this is a crap idea and you know a better way of doing it then let me know!
Cheers people!
Robin

mistcat

Robin,
Why do you want to store the session id for the user beyond the session they use it?

rcbasie

I know my method sounds a little convoluted...
I thought if i did it this way the site would be more secure for the 'privilaged users'. If i did it using the session id alone, wouldn't it be easy for a hacker to just send a bogus URL with any old session id? The exact security requirements haven't yet been finalised, so i need to come up with something that we could increase the security for without re-implementing the whole site.
Thanks for your time
Robin

mistcat

Why don't you store the login time for each user in a table and then also set a session variable, and after like 90 minutes or something have that var expire and kick them back to the login page, where they log in again, resetting the variables. Then you can be sure that if some session id is hijacked, the session var will be too old, or not set, in which case you kick back to the login screen?

This means for each user there will be only one other entry in the database, and thats not such a heavy load, and you will update it with logins.

how does this sound?

-nate

rcbasie

I see what you mean....
That might be a bit of a pain in the arse for the 'privilaged' users, but it would mean that i can go ahead and write the thing using plain session id's, and then amend the existing code if extra security is required.
It'd be nice to know in advance what was required, god bless my boss!
Thanks for your time & advice
Robin