HTTP is stateless, that does not know about the user when visiting the page again. but session keeps track the user and maintains the state that how many times the user visit the page again.
When developing a web application with user authentication, It is important to identify the logged in user and remember that user even after sometimes. Remember user with session and cookie is easier. But if it is not handle with proper way then it lead to attacks such as session hijack and more. This example gives best practices and it may vary on implementations based on different scenario. Consult with experts before implement in practical.
- Best Practice
- Session Management
- Generate Unique ID
- Regenerate Unique ID
- Set Unique ID
- Check for Unique ID
- Expiry Remember Token
- Remove Remember Token
The steps are recommended to remember logged in user in a safe way:
- Set a session name for the application or project. It should be unpredictable.
- Start and Implement session management.
- This creates a session id and it will set cookie in the browser.
- Use that session id until the user before the login state change.
- After logged in, regenerate session id for the user. This will prevent session related attacks.
- Use either session id or generate any other unique id as remember identity of the user.
- Store that unique id in database as well as a cookie.
- That unique id used to detect the valid logged in user with cookie.
- Whenever changes in user logged state, regenerate that unique id and update on database as well as cookie.
- After logged out, make that unique id invalid to use in future by remove in database and remove cookie.
Allocate separate table in database for storing remember token if required. Always prefer to use hashing and salting for passwords to store in database, that unreadable by others as well as machines.
It is essential for track user and their activity across multiple pages on the domain.
When visiting a page, session_start() function will generate unique session id that stored as file in server. when response sent to the browser, that sets cookie in browser with same session id.
session_start() function is defined before to of any content or before any content sent to the browser to avoid errors. So, HTTP headers sent first to the browser to set cookies and other things.
Once session started, That session can store session data as file on server. To storing a large data which take time to load and read that session data. It results in performance lag. Store small amount of data rather than large.
Start the Session:
session_name('unpredictable_unique_session_name');
session_start();In practical, It is recommended minimum 128 bit key required or generate above 32 characters of length.
Use session id as remember token:
session_start();
$unique_id = session_id();Custom unique id as Remember token:
session_start();
$unique_id = random_bytes(128);
$unique_id = bin2hex($unique_id);Set generated unique id in cookie:
// setting cookie
setcookie("remember_token", $unique_id, time() + 2592000); // Cookie expires in 30 dayssession_regenerate_id function will regenerate session id by preserving data. Best practice is use to regenerate on each request, but it is written on server that cause performance issue.
But preferable strategy is regenerate unique id whenever user state changes such as login, logged out, account registered, deactivated and so on.
After successful authentication or any other user state changes, store necessary user information in cookie and session:
// regenerate session id after user state changes
session_start();
session_regenerate_id();
$unique_id = session_id();
// update in database with new session id
setcookie("remember_token", $unique_id, time() + 2592000); // Cookie expires in 30 daysOn subsequent page loads and to remember user is logged in status by checking and validating that unique id from cookie and session:
if (isset($_COOKIE['remember_token'])) {
// User is remembered for logged in status
// fetch details from database such as username
echo "Welcome, " . $_SESSION['username'];
} else {
// User is not logged in, redirect to login page
header('Location: login.php');
exit;
}After user is logged in, set remember token with expiry time in cookie.
To set session cookie PHPSESSID expiry time by using ini_set() function. But it is not recommend and not good practice to change PHP configuration and settings when using shared web hosting.
The best practice is store the remember token in separate cookie using setcookie() function rather than setting on session. Store remember token in the database. And additionally, regenerate remember token and update on both side whenever user state changed.
After logged out or account deactivation, remove remember token on both side. Destroy session data, Remove cookie and make unique id invalid or remove from database which ever is required. Remove that remember token on both client side cookie and server side session.