The solution proposed in the original post looks like regular session management to me, and you could probably implement it without running into any problems. I don't know why you need to log the IP, though.
However, I second davis suggestion that you should go with a prebuilt module. Apache::Session totally rocks, and will let you store not only usernames and passwords, but any Storable object in you session variables. You have the choice of storing data in regular files, DB_File or several different databases, and the best part is that you don't need Apache; it will happily run under most web servers.
Also, you don't have to bother with generating random numbers for session ID's, as Apache::Session will do all this for you.
Cheers,
--Moodster | [reply] |
The numbers generated by Apache::Session are not random enough to be considered truly secure. If you really don't want people to forge session IDs you should use some kind of hashing scheme to generate a digest that you send out with your session ID. Then you can use that to verify that the ID has not been tampered with. This technique has been described in other threads here about session handling.
| [reply] |
Hello.
The method described here is not the same as regular session management. In the regular session management, the session id stays still during the session. Here, it is supposed to change on every page load.
Update: It seems I'm the one who misunderstood the method. However, I think my method (creating a new ID on every page load) would be a bit more secure.
--
Alper Ersoy
| [reply] |
The method I discribed does keep the session ID constant during the session. The random number is created at login and does not change until the user logs in again.
| [reply] |