Women in Technology

Hear us Roar


Article:
  The PHP Scalability Myth
Subject:   Hidden variables for session state?
Date:   2003-10-17 20:23:47
From:   tarrant
Response to: Hidden variables for session state?

If you're putting the session in the db, you just need to send a cookie containing the id to the browser. This id wouldn't need to be encrypted all the time; you could simply give the browser a large random session id at the beginning, and you would therefore protect your sessions from spoofing.


Actually, I've usually had a userid and sessionid in separate cookies, with the sessionid being a random number. If someone tries to use their sessionid but someone else's userid, then there's a system alert and the session token isn't vaild.

Recommended for You
 
Sign up today to receive special discounts,
product alerts, and news from O'Reilly.
Privacy Policy >
View Sample Newsletter >