My take on the best method of security is context. I reckon one of the better methods is similar to what you suggest.
Issue the user with a non-determinate token (sess_id) in a cookie, with a timeout value (5mins, 15 mins etc)
Stick the sess_id in a database along with the user that owns it.
For each pageview, get the cookie value, and check it against your database.
If the cookie expires but the session is still active, set another cookie, with a different value and extend the session.
Make sure you include a logout function which will purge the record from the database.
IMO there is no need to use crypto, save for md5, or sha1, which you could use to generate the sess_id, (seeded by the pid, time, rand and username perhaps). If you're going to have a high transaction site, you may as well use md5 (or sha1) because, its easy, and the chance of a collision is amazingly small.
There are of course prebuilt things out there, however, I chose to write my own because it was fun and taught me a lot.
For added security, add a dash of https, and run your sessions over it.
Check out this node for a thread on sessions management without cookies, and here for a bit of light reading on secure session management.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|
