创建用于验证的user_session表。

Question

I am developing an android application which uses php webservices. I have been having issues with handling sessions between the server-side and the client-side, so I decided to do a different approach. I am planning on create a user_session table which will contain the session_id, user_id, session_token and expiry_date.

The session_token will be generated using some fields from the users while the expiry_date is date for when the session_token will be re-generated or changed to null. This will mean that the user will need to log in again on the android.

A scenario: 1. The user enters correct credentials 2. The web-service generate a session_token for the user, stores it in the user_session table and sends the value to the client-side. 3. For every request from the android application, the web-service will verify if the session_token on the client-side corresponds to the session_token in the table.

My questions: 1. Can you help me in creating the session_token and the expiry_date as I do not know how to generate a unique value in php using other fields. 2. Is it worth it in terms of security?

Thank you for your help

Answer 1

You can use hasing:

$token = sha1($ssid.$something);

$ssid = session_id();

That $token variable it's your token .. insert it in database, and create conditions. It's unique, it's based on session id and other "think" You can use email address or other field... but be carefull, if the user change that field, you need to generate again the token