I've (so far) been handling user sessions with client-side cookies and database entries.

When the user logs in, I generate a guid and place it in a cookie on the client's computer. Then I create an entry in a 'sessions' MySQL table, and add there the guid, ip address, the username, privileges, etc. Then when the user accesses the page, I check if there's a session cookie. if so, I check the database for the guid in the cookie and make sure the ip address matches. If it does then the user is logged in with the rest of the information in the db table. If something is wrong (bad ip address, expired session, etc) I remove the database entry and remove the guid cookie.

I've never used the $_SESSION global before.

Is my way good practice or do I need to re-think how I'm handling this?

Comments

You're reinventing the wheel my friend

Written by Justin Johnson

Accepted Answer

It sounds like you've got the basics covered. However, if you're doing that all manually, then you are effectively just implementing your own $_SESSION, and not taking advantage of the fact that it can already do all that for you.

If you want to use a database to handle a session, you can override the default session handling with your own. Take a look at session_set_save_handler(). I do this in my apps.

class SessionHandler
{

    public function open($save_path, $session_name)
    {
        $this->sessionName = $session_name;
    return(true);
    }
    public function close() {
        //stuff
    }

    public function read($id) {
        $expiretime = date("Y-m-d H:i:s",time() - $this->maxLifeTime);
        $sql = "SELECT * FROM sessions where sessionid='".$this->db->escapeData($id)."' AND lastupdated>='".$expiretime."' LIMIT 1";
    $result = $this->db->query($sql);
        //etc.
    }

    //etc.

    public function setAsSessionHandler()
    {
    session_set_save_handler(
    	array($this,'open'),
    	array($this,'close'),
    	array($this,'read'),
    	array($this,'write'),
    	array($this,'destroy'),
    	array($this,'gc')
    );
    }
}

$sessionHandler = new SessionHandler();
$sessionHandler->setAsSessionHandler();

You can have all the functionality you just described that you've implemented yourself by using this, but still have the power of $_SESSION to do it for you.

For instance, if you wanted to add an IP check to see if the session is still valid before you start it, you can add that as part of the "open" function. If you wanted to write the session data to ten different databases (not that you would), you could accomplish this in the 'write' function.

Those functions are all used based on how you use $_SESSION, and by putting them into a simple class, you can manage how it works very effectively.

You'll see that the session id is a parameter passed to the read/write/destroy functions, and you'll still manage this the same way using your GUID generation routine. However, you could stick the guid generation and checks into this session manager class and simply have the open() function do them. Centralized, no muss, no fuss.

Written by zombat
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki