|Problems? Is your data what you think it is?|
Thanks for the feedback guys. I was since my posting, I've done a little thinking and have an idea how to do this. Here's my idea, please let me know what you think.
Each user will have a record in a database. When the user initially logs in, it will verify that they entered the correct username and password by comparing to the values in the database.
After it verifies the username and password are correct, it will assign a random string of text (session ID) and it will write this session ID along with the current time, to the record in the database. It will also write this session ID along with the username to a cookie.
Now when the user loads another page, it will pull the session ID and username from the cookie. After it finds the matching session ID and username in the database, it will check the time in the database (time session ID was assigned). If that time is over a certain limit, it will timeout and display the login screen...otherwise it will allow the user to continue and will assign a new session ID and time to the databse and the new session ID and username to the cookie.
I figure since all these pages are encrypted with SSL, it's not a having the session ID intercepted is not a concern. Plus, the session ID is changed each time, so even if someone got a hold of it, it will have probably changed or timed out by the time they can use it.
Any comments or suggestions? Do you see any problems here? Do you think this would hold up and perform well with a large amount of users?