Welcome Guest, Not a member yet? Register   Sign In
Database sessions workflow

Im having a bit of trouble getting my head around how database sessions are used to aid security. Ive come up with a workflow as to how i think it would work, can anyone tell me how wrong / right i am?

1.) A user with no existing session signs in. The session library creates a session, stores the details in the database, encrypts it with the security key in config.php and stores it in the users browser.

2.) The user comes back to the site within the expiration time of the session, the session lib retrieves the session from the browser, decrypts it with the security key and checks to see if a session with the corresponding details is stored in the database

3.) The user comes back to the site when the session has expired, there will be no cookie for the library to retrieve as (and im guessing here) the browser deletes expired cookies?

4.) The user comes back to the site with a fake session. The session would likely not be encrypted correctly anyway as they wouldnt have the security key, and even if they did (by some amazing coincidence) the session would not appear in the database

Points i particularly want to clear up:
- If the session has expired, would the browser even make it available for the session library to retrieve?
- The session is stored in the database in plain text (i.e. the session properties are not encrypted) and in the browser cookie in encrypted format?

Any help on this would be greatly appreciated

The session expires using the expiration timestamp on the session cookie. If it is expired, the browser will delete it, so you end up in situation 1).

There are several parts that play a role in what you call "the session":
- the session identification information
- the session cookie
- the session payload

The session ID information consists of a unique Session ID, a timestamp, and the IP address and User Agent string of the client. This information is stored in an array, which is serialized, encrypted, and send to the browser as payload of the session cookie.
The session id is used to access the database, to retrieve the session payload (i.e. the userdata). Userdata never leaves the server (unless you use cookie sessions, in which case the user data is also part of the encrypted cookie). Userdata stored on the server is not encrypted, the assumption is made that your database server is secure (which is not always the case with file based sessions, especially not on a shared host).

Brilliant, thanks for the help.

I think i get it, the session library does all the database lookups itself, i dont need to write my own functions for that. Ive started reading through the source in system > libraries > session and its all becoming clear.

Thanks for your help.

Theme © iAndrew 2016 - Forum software by © MyBB