I’m building a custom PHP Session handler using MySql, and I’ve been struggling with something. After a throughout (or not so much, subject to personal opinion) search in Stack Overflow, I couldn’t find an answer to my question: most just answer how to expire a session in the client-side, but this question is focused on the server-side.
The issue is the following: I store the session data on a SQL database, and send an id of the session as a cookie (basic session handling); if the user selected not to be remembered (aka keep me logged on/remember me) the cookie should expire on the event of the browser closing, but for obvious reasons it wouldn’t expire on the database (this is not intended, but it’s pretty hard to tell when a browser closes from the server side); moreover, if the user selected to be remembered, the cookie shouldn’t expire, and the user should be signed in automatically when he starts the browser again.
What I would like to do is expire the session on the database when the browser is closed (if the user doesn’t select remember me), and to keep the session alive in both ends if the user selects remember me, but assign the user a new session if he logs in again (and unset/delete the previous one).
All for the sake of security, I absolutely want to void the sessions that won’t be used again; for example, when the user closes the browser, the cookie is deleted and the session won’t be accessed ever again legitimately by the corresponding user, so it should be deleted.
My current idea is to use double sessions: having two cookies with two different ID’s and cookies, in which one of the cookies would expire when the browser is closed and one would remain, and the latter would be used to reference the primary one, delete it, and generate a new one and logging in the user back to the new one (if the user selected to be remembered). The double sessions don’t necessarily need two databases, as they could just be stored on the same table with different fields.
My main focus is to keep the database clean and the system safe. How would you manage session expiration on the server side?
First, there is no way to be certain of when the user has closed the browser. Using two cookies doesn’t help, as the user has control of the browser and can chose to persist the cookie you think will disappear when the browser closes and delete the persistent tracking cookie you are checking for to delete the original session. This means your solution could potentially never expire the session on the server.
A better solution is to write an expiration date/time (say 30 minutes from now) to the database session record. Every time the user tries to access the session check to see if the expiration date/time has passed. If the expiration has passed, delete the session and deny the user access. If the expiration has not passed let the user in and update the expiration date/time (30 minutes from now, just like when you created the session). This means if the user hasn’t accessed your application in 30 minutes you are assuming the user has closed the browser and are expiring their session. As long as the user does something at least once every 30 minutes the session will remain active on the server side.
To clean up sessions that have expired and the user hasn’t come back (or maybe cleared their cookies or something) you can have a background process that runs maybe once a day to delete expired sessions.
You can use the same strategy for long-term remember-me type sessions by just using an expiration date/time that is much longer (maybe 14 days from the current date/time).
Personally I store sessions in a Redis hash (Redis is a NoSQL in-memory database) which allows me to set an expiration for the hash and Redis automatically deletes it when the hash expires, saving me from having a background process to delete old sessions.