NYCPHP Meetup

[Dan Cech]

Joseph,

Sounds like you're making progress.

As for changing the session id on every page load, this can easily break 
session support when the user clicks the 'back' button or opens multiple 
windows if not done very carefully.

If you're looking for something to help you with managing an ACL type 
permissions system I would recommend phpGACL 
(http://phpgacl.sourceforge.net).  I'm a little biased as I engineered 
its database structure, but it sounds like it may be what you're looking 
for.

Dan

Joseph Crawford wrote:
> I think i finally got everything working the way i want it, i generate the 
> hash and store it along side the session id, whenever the page is loaded it 
> get's the hash from the db, and calculates the user s hash, if they match 
> nothing is done, if they dont session_destroy is called and 
> session_regenerate_id is called so the new user doesnt get the same session 
> id as the one hijacked. Next i will implement a way to only do the check 
> every X page loads for the user or something because every page querying 
> this check could become resource intensive. I took a look at implementing 
> adam's suggestion of regenerating the session id with every page load, i 
> looked at doing this and then updating the current db record with the new id 
> etc.. this would work if my hash didnt include the current session_id. The 
> way it is now if i regenerate every page, every other page thinks the 
> session has been hijacked ;)
> 
> Maybe sometime down the road i will look at implementing this ability as i 
> am sure it's a small restructure problem but i think it's ok for now ;)
> 
> Now i get to work on my user managment and permissions system, figure out 
> how i am going to implement the roles and who has what role ;)