I'm trying to figure out how to write a better way for me to track user sessions on my website.
What I do so far is this:
When the user logs in, I generate a 64 char long string and store it in the db and a cookie of the user.
The database table that stores this string also stores the user id (to be able to know whose this session ID is) and an exact time.
Every time a user clicks on a page or does something on the site, the script loads the content of that cookie, then runs through the sessions table in the database to find a session ID like the one stored in the cookie.
If it manages to find it, it will do the following:
If date of last activity is less than 5 minutes, it'll simple return the user ID and update the last activity to the current second and the script will go on.
If the last activity was more than 5 minutes ago, it'll still return user ID but also change the session id both in the cookie and the db (a kind of a way to relogin but the user doesn't feel it).
I think my system isn't exactly a good one because someone may try to run a script that will be sending these strings and may stumble upon a correct ID.
So, I wanted to know: how is this stuff usually handled in professional projects like I dunno, joomla/phpbb and other professional sites?