I’m thinking about security problems, made some questions, read some articles….. it’s too difficult to get all information from all those articles with very different methods and put them in 1 place to have normal user login and user check system.
Today I’ve read about haveing mysql table with active users list instead of storing sessions.
As I understand sessions are too difficult to secure, and on the other hand mysql table I think is very easy to make.
For example, users loggs in. Instead of making some ‘user’ session, I can simply insert new data into active_users_table and add user ip there.
And on all pages I can ask client for ip, then go to mysql table check if such ip-user is logged in, if yes check what rights does the user have and give him corresponding access.
Question 1. Isn’t it simple ? easier to make then securing sessions?
Question 2. If this system is good enough so I could stop my research and construct site using this method question is how can I understand if the user is still active ? If he will press ‘log out’ button ok , I will log out him and delete his record from the table. But if he restarts his PC or something? how can I understand when the record will be available for destruction ?
Question 3. one guy told me to use mysqli instead of mysql commands when I’m working with database. Are they the same so I just have to add “i” to all my commands and it’s ok, or mysqli is a bit different and needs some study ? and also why is it better ? WHy I cannot use normal mysql commands to which I got used to?
Session CAN BE and often IS stored in the database. So there is no session vs database. Session is a way to persist information between HTTP requests, as HTTP is stateless protocol.
The difference between session and your approach is that session relies on cookie, and you are relying on IP. But there can be multiple users with the same IP. So your approach is not secure, session is more secure.
The database is offered instead of the default file-saving mechanism from a security point of view, because in a shared environment other user can read the session files. Also, session in a database can scale easier, if you have a lot of active users.
You should care about session hijacking and session fixation attacks. None of these is related to how you are storing the session data.
Question 3 have nothing to do with the session and deserves own question. But mysqli is just the newer extension, and supports more functions. In most cases it’s used exactly the same as the mysql functions.