I'm learning how to handle user login with sessions, I've read many things but it seems more complicated than everything makes it out to be. If someone has a good tutorial please share it with me (And don't just google one, I've already done that and still don't understand).

Here is how I want my site to work, to give you an idea of what I need done.

A user goes to my site, registers an account, downloads my software (It lets you upload screenshots and stuff), then they are able to log in and edit the files they upload. By "Edit the files" I mean change the title, add a description tags, and also view other peoples images and rate them etc. Much like the functionality of Photobucket, but with a different purpose.

Heres some questions that I have about sessions:

1. What kind of data should I store when a user logs in?
2. How do I determine when they leave the website? If I use a timer, where should I put it?
3. Are there any security holes I should be aware of?
4. Do sessions behave differently in different browsers, or are they server-side. I assume they aren't handled based on IP address, so how are they handled?
5. When a user deletes an image or changes something, should I verify the user? And if so, how?
6. I've read that you can give session's a different name, is this necessary? I read that they are handled automatically so you don't have to worry about it.

Thanks for any information, it's difficult to create something using a feature you don't quite understand.

Also, for security I read a sticky on this website somewhere about using hashes to encrypt passwords so you don't store the password on the server. When the user creates their account, using the date and time I create a unique ID and use that as the "salt" and put it on their MySQL data. Then they enter a password, I grab the salt, make the hash, and compare it. That works - but is it the right way to do it?

1. Don't store sensitive information such as passwords. You do need to store something to indicate that the user is logged in. You should store something that identifies the user (such as a user id). Assuming that this field is empty for a non-logged in user you can also use it to determine if the user is logged in.

2. A session typically dies when a user closes their browser. There is no way to determine if the user has "left the website" other than if they explicitly log out. What you can do is store an expire time and invalidate the session when it expires:

PHP Code:

session_start();
if($_SESSION['expire'] < time())
{
     $_SESSION = array(); //destroy the session data
     session_destroy(); //destroy the session
}

$_SESSION['expire'] = time() + $offset; /*offset is how long in seconds you want the session to be valid*/ 


3. Yes, as I mentioned before you should not store sensitive data in a session. The reason for this is that a session can be hijacked.

4. Not that I'm aware of. Sessions are (by default in PHP) associated with a user through a session cookie. This cookie identifies the session, the session data is stored server side.

5. Anytime a user accesses content or performs an action that is restricted to members you should check if there session is valid (ie if their user id is set for example).

6. You can used named sessions. The only reason I know of that you would need to do this is when dealing with multiple sessions. Other than that a session name should be transparent unless you write your code to explicitly use session names.

Thanks for the quick response. I like the simple way to implement the expiry of a session, I was thinking of different ways that were much more complicated. When I said 'If I use a timer, where should I put it?', i was thinking of putting the expiration time in the mysql database, but putting it in the session just makes so much more sense now that I think about it.

I did some reading about "Session Hijacking", currently I just store the user's ID and a boolean "LoggedIn" variable, I'm not sure how you would do it, but if someone just edited the session to a different ID they could steal anyones account! I will uses a random value and keep that in the database, and change it each time they log in.

I wonder if the application version of cURL supports sessions... wouldn't really matter, but for the software each time they upload a picture it sends their username/password, I don't bother with keeping the software logged in.

You can't change the ID of a session. When hijacking a session the attacker determines the ID of a user's session, usually by XSS or listening to network traffic. The attacker can then assume the identity of the user. An XSS attack is an attack on the server and involves injecting malicious code into your site. Listening to network traffic is usually an attack on a specific user. SSL can prevent an attacker from intercepting a session id even if they are listening to network traffic, but for general purposes this is overkill; it is more appropriate for sensitive transactions such as payment processing.

Okay, that makes me feel safer. I won't worry too much about security other than the primitive stuff, my website wouldn't be high priority for attackers anyway. There won't be any payment processing unless this project goes very well, even then, I don't want to be bothered with advertising and such.

I'm trying to come up with a new way to store the images and associate them with the users now, it's the next step. Posted it in the database forum mainly because I think it's more relative, and it's off-topic of this thread's title.

http://www.webmaster-talk.com/the-da...tml#post990298