I am writing my own auth library (i know there are a lot of readily available free proven ones, but i wanna get some experience and just make another fast and furious aut lib☻)
And i get stuck in one dilemma... with "Remember Me" option.
As everybody knows - cookies is not the safe place to keep user's data
So i decided - to make a new random key each time user is logged in
PHP Code:
$random_hash = bin2hex(random_bytes(30));
Store it in cookies (with user_name, and user_id, for what i will explain a little bit latter☻)
After this i add a new line into the database with
PHP Code:
public function insert_user_session($user_name,$user_id,$session_hash)
{
$data = array(
'users_sessions_user_id' => $user_id,
'user_sessions_user_name' => $user_name,
'session_hash'=> $session_hash,
);
$this->db->insert(SELF::$this_table_name, $data);
return $this->db->insert_id();
}
As i can see it - this approach has some advantages (user can be logged on several devices simultaneously)
So it seems to work but - i got two theoretical problems.
1) It creates new lines in the databes really fast....
I tried to keep F5 pressed, and i got several hundreds new lines.
2) There is a possibility of hash collision, two users can get identical hashes - and someone can suddenly be logged as different user without any devious hacks☻
Of course i can check existing entries in the database (before inserting) and repeat this all over again until i got a truly unique value.
But it seems to me like overkill (we need at least additional query)
So i think just compare user_id from cookeis so in case of a collision there will not be such an unusual situation and someone will not become a out of the blue a different person..
So guys can you advise me how to resolve this puzzle?
My bee to make a permanent hash that assigned for user for a long time?
Btw - i trying it on a local machine and if i am keeping a f5 button for a lengthy period of time (5 sec) i get a following error:
Message: mysqli::real_connect(): (HY000/1040): Too many connections
Does it says something about? My be my CI configuration is wrong?
It seems too easy to ddos my site ☻☻
