Keeping session alive

Instead of the default flat files, I'm using a database to store user sessions because of the extra control. Keeping the session alive in the database is easy, all I have to do is assign a value of "1" to the row's "keep_alive" column ... however that doesn't solve the problem of kick-starting a user's session again if their PHPSESSID cookie has expired.

So far I've got the following code to work, and it involves setting a separate "keep_alive" cookie in addition to the standard session cookie:


// Only do this if the session cookie is unset and the "keep alive"
// cookie is set; "keep alive" contains the user's previous session id
// in a sha1() hash

if(!isset($_SESSION['session_name']) && isset($_COOKIE['keep_alive']))
{

// open database class

$session = new db('','','','');

// pull session id from all sessions where "keep_alive" is set

$session = $session->rows('SELECT session_id FROM session_table WHERE keep_alive = "1"');

// if $session contains database row(s)

if($session != '')
{

// Do any session id's match the "keep alive" cookie

$session_match = 0;

// Check each session_id for a match with the "keep alive" cookie

foreach($session as $a)
{

// if sha1() hash of session_id is the same as value in "keep alive"
// cookie, set new PHPSESSID containing user's previous session id,
// set $session_match to "1", break out of foreach, reload requesting
// page with reset session

if(sha1($a->session_id) == $_COOKIE['keep_alive'])
{
setcookie('PHPSESSID',$a->session_id,0,'/');
$session_match = 1;
header('Location: ' . $request);
break;
}
}
}

// if no rows were pulled from database, or if none of the database rows
// matched the value of the "keep alive" cookie and $session_match wasn't
// set, kill redundant cookie

if($session == '' || $session_match == 0)
{
setcookie('keep_alive',0,time()-5,'/');
}
}


Does anyone foresee any potential problems with this method? It does work, but I'm not sure how secure or "foolproof" it is ... not to mention there may be an all around better way to it. All session names and cookie names will contain a hash of the user's user agent to help prevent hijacking by another user.

I am not sure why you are attempting to keep sessions alive. Sessions are meant to just last until the user closes the browser or times out after ~15 mins. If you want to keep a user logged in over multiple sessions use cookies. You can stash whatever information in there that you want and re-initialize the session variables when they visit your site again.

A session id does not seem like the best way to keep track of users, just keep using their username as a way to keep track. I think you are making this a bit unneccesarily complex.

Explain to me why you feel its neccesary to keep users on the same PHP session id every time, I bet you probably have a better reason that I am just not thinking of.

I want to keep cookies to a minimum, that's all. I could really easily do all of this using a few cookies, but I've sometimes had problems with security when using them.

I'm sure you're right, I'll just keep playing around. :)

Well the PHPSESSID is set in a cookie...

Anyway, take a look here: http://uk2.php.net/manual/en/ref.session.php

Something like this may or may not work, ive never needed to do this before:


ini_set('session.gc_maxlifetime', (60*60*24));
ini_set('session.cookie_lifetime', (60*60*24));
// Set the session to last for a day..


But even if it does work, I would advise against it... Sessions are designed partly for keeping pages secure... The longer a session is active the more time it has to be potenially hijacked, thus crushing your security.

I've realised I was being dumb with the other code I'd written, so I'm going for something more simple, along the lines of what CrzySdrs suggested.

My main problem is trying to secure it, and hashing everything so that there's less chance of another user being able to hijack the cookies/sessions.


// Self explanatory
session_start();

// Create a hash of the host address and the user agent
// Originally I hashed the IP, but user's with a changing IP might have trouble staying logged in.
// The hash() function uses a combination of hashes and salts to really mess things up
$hash = hash(getenv('HTTP_HOST') . getenv('HTTP_USER_AGENT'));

// $_COOKIE[$hash] keeps a unique (hopefully) and random identifying hash on each computer
if(!isset($_COOKIE[$hash]))
{
setcookie($hash,hash(uniqid(rand(),true)),0,'/');
$user_hash = '';
}
else
{
$user_hash = hash($_COOKIE[$hash] . $hash);
}

// $_COOKIE[$user_hash] is the "stay logged in" cookie, containing the user's ID #, and the user's unique hash
// $_SESSION[$user_hash] is the "logged in" session
// No usernames or passwords are stored in the cookie
if(isset($_COOKIE[$user_hash]) && !isset($_SESSION[$user_hash]))
{

// ID # and hash are encoded and serialized in cookie ... so undo that
$i = @unserialize(base64_decode($_COOKIE[$user_hash]));

// Make sure the two values from the cookie are set before trying to use them
$a = (isset($i[0])) ? $i[0] : '';
$b = (isset($i[1])) ? $i[1] : '';

// Perform query using database class
$i = $db->get_rows('SELECT * FROM user WHERE id = "' . intval($a) . '" AND hash = "' . mysql_real_escape_string($b) . '" LIMIT 1');

// If database row(s) matched
if(!empty($i))
{
// Log user back in
}
else
{
// Log in failed
}
}