Own authorization: sessions, cookies, storage of user data. How to implement?

I

Ilya2015-05-26 15:07:25

User identification

Ilya, 2015-05-26 15:07:25

I wanted to try to implement my own system of authentication and authorization (not implemented in my case). Several questions arose.
1. How to create a session? Just 250 random characters? Or hash from something with something?
2. Is it enough to create a session during authorization, write it to the cookie and look in the storage every time you access it, is there such a session (you can also record IP and user-agent)? If there is, then equate this cookie as the user for whom this session was created (some information about the user will be stored with it)?
Google gives only tutorials for php, but there is some kind of built-in session manager.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexey Malinin, 2015-05-26
@FireGM

1) In essence, a session from an abstract point of view is some kind of record somewhere on the server. Session data can be stored in a database or even in a file. The simplest case of a session identifier: a hash of a timestamp, unique user data (from the application point of view), unique client data (browser). It is very good if there is a lifetime when using Redis or Memcached (You can, of course, do it manually).
2) In principle, it is quite correct. For security, of course, it's great if not a pure session identifier is stored, but an encrypted identifier in some way (and you can only decrypt it on your server, since only you know the key).