[eluser]richzilla[/eluser]
Im having a bit of trouble getting my head around how database sessions are used to aid security. Ive come up with a workflow as to how i think it would work, can anyone tell me how wrong / right i am?
1.) A user with no existing session signs in. The session library creates a session, stores the details in the database, encrypts it with the security key in config.php and stores it in the users browser.
2.) The user comes back to the site within the expiration time of the session, the session lib retrieves the session from the browser, decrypts it with the security key and checks to see if a session with the corresponding details is stored in the database
3.) The user comes back to the site when the session has expired, there will be no cookie for the library to retrieve as (and im guessing here) the browser deletes expired cookies?
4.) The user comes back to the site with a fake session. The session would likely not be encrypted correctly anyway as they wouldnt have the security key, and even if they did (by some amazing coincidence) the session would not appear in the database
Points i particularly want to clear up:
- If the session has expired, would the browser even make it available for the session library to retrieve?
- The session is stored in the database in plain text (i.e. the session properties are not encrypted) and in the browser cookie in encrypted format?
Any help on this would be greatly appreciated
