My take on the best method of security is context. I reckon one of the better methods is similar to what you suggest.

  • Issue the user with a non-determinate token (sess_id) in a cookie, with a timeout value (5mins, 15 mins etc)
  • Stick the sess_id in a database along with the user that owns it.
  • For each pageview, get the cookie value, and check it against your database.
  • If the cookie expires but the session is still active, set another cookie, with a different value and extend the session.
  • Make sure you include a logout function which will purge the record from the database.

    IMO there is no need to use crypto, save for md5, or sha1, which you could use to generate the sess_id, (seeded by the pid, time, rand and username perhaps). If you're going to have a high transaction site, you may as well use md5 (or sha1) because, its easy, and the chance of a collision is amazingly small.

    There are of course prebuilt things out there, however, I chose to write my own because it was fun and taught me a lot.

    For added security, add a dash of https, and run your sessions over it.

    Check out this node for a thread on sessions management without cookies, and here for a bit of light reading on secure session management.

    In reply to Re: Secure State Maintenance by Ryszard
    in thread Secure State Maintenance by George_Sherston

    Title:
    Use:  <p> text here (a paragraph) </p>
    and:  <code> code here </code>
    to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.