Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Secure Session Management

by glickjd (Novice)
on Sep 06, 2002 at 23:19 UTC ( #195801=note: print w/replies, xml ) Need Help??


in reply to Secure Session Management

Thanks for the feedback guys. I was since my posting, I've done a little thinking and have an idea how to do this. Here's my idea, please let me know what you think.

Each user will have a record in a database. When the user initially logs in, it will verify that they entered the correct username and password by comparing to the values in the database.

After it verifies the username and password are correct, it will assign a random string of text (session ID) and it will write this session ID along with the current time, to the record in the database. It will also write this session ID along with the username to a cookie.

Now when the user loads another page, it will pull the session ID and username from the cookie. After it finds the matching session ID and username in the database, it will check the time in the database (time session ID was assigned). If that time is over a certain limit, it will timeout and display the login screen...otherwise it will allow the user to continue and will assign a new session ID and time to the databse and the new session ID and username to the cookie.

I figure since all these pages are encrypted with SSL, it's not a having the session ID intercepted is not a concern. Plus, the session ID is changed each time, so even if someone got a hold of it, it will have probably changed or timed out by the time they can use it.

Any comments or suggestions? Do you see any problems here? Do you think this would hold up and perform well with a large amount of users?

Thanks again,

Jeremy

Replies are listed 'Best First'.
Re: Re: Secure Session Management
by Ryszard (Priest) on Sep 07, 2002 at 08:00 UTC
    Almost, but not quite (IMO). You dont need to send the username to the browser, and think about adding an expiry date to your session database.

    So:

    1. The user logs in
    2. You create a sess_id and send it to the browser (via a cookie or "param")
    3. You record the sess_id in the database along side a user_id
    4. Foreach pageview you retrieve the cookie from the browser and compare it to the one in your database
    5. You compare the "sysdate" with the date in you set in the session database(expy_date); if sysdate is > expy_date, send the login page to the browser.
    6. optionally on each pageview you can:
      1. Extend the session by n so the session is more dynamic and stay current as long as the user is actively using your application
      2. re-issue another sess_id - making your application a touch more secure.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://195801]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (6)
As of 2020-01-24 02:14 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?