Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : Which is the best way to track user sessions?

[Lord Northern]

Hey.
I'm trying to figure out how to write a better way for me to track user sessions on my website.

What I do so far is this:
When the user logs in, I generate a 64 char long string and store it in the db and a cookie of the user.
The database table that stores this string also stores the user id (to be able to know whose this session ID is) and an exact time.
Every time a user clicks on a page or does something on the site, the script loads the content of that cookie, then runs through the sessions table in the database to find a session ID like the one stored in the cookie.
If it manages to find it, it will do the following:
If date of last activity is less than 5 minutes, it'll simple return the user ID and update the last activity to the current second and the script will go on.
If the last activity was more than 5 minutes ago, it'll still return user ID but also change the session id both in the cookie and the db (a kind of a way to relogin but the user doesn't feel it).

I think my system isn't exactly a good one because someone may try to run a script that will be sending these strings and may stumble upon a correct ID.

So, I wanted to know: how is this stuff usually handled in professional projects like I dunno, joomla/phpbb and other professional sites?

thanks

[djorgensen]

Is this for PHP, Java or ASP.NET?
Or something completely different

[Lord Northern]

Oh, my bad. I forgot to say. It's PHP/MySQL.

[sasha]

Only thing you are missing there is something that would clean up database from all sessions older then, lets say 20 minutes. That gives users 15 minutes of inactivity before they are completely logged out. Chance of someone guessing random 64 characters string in 20 minutes time window is none. Only possible problem is if the string is truly random. If someone registers 5 user accounts and logs with all of them, could he guess what logic you use to generate those strings?

That all being said, you are reinventing the wheal. Everything you are doing there can be done using php's builtin session handling.

[Lord Northern]

So you're saying it's just better to go with the sessions in php?

[sasha]

Quote:

Originally Posted by Lord Northern

So you're saying it's just better to go with the sessions in php?

I do not know what your project is about so I cannot tell. There is more then one way to do anything in PHP. For an example you can retrieve remote http file using sockets or you can just get it with file_get_contents. There is time and place for both of those approaches.

What you did is nice exercise but you have to ask yourself if it provides you anything that PHP builtin session handling does not. If it does not - use builtin stuff, it will make your code easier to understand and maintain.