How To Create a Secure Session Management System in PHP and MySQL
This guide will show you how to store your sessions securely.If anyone manages to hack into the database, all session data will be ciphered by 128-bit AES.
Step 1: You can create a database.
We will create a database called "secure_sessions" in this guide.You can see how to create a database.The code below can be used to create one for you.Some hosting services don't allow you to create a database through phpMyAdmin, learn how to do it in cPanel.
Step 2: You can create a user with only SELECT, INSERT and DELETE privileges.
The hacker wouldn't be able to drop tables from our database if there was a security breech in our script.If you're paranoid, make a different user for each function.The user code is "eKcGZr59zAa2BEWU"It is a good idea to change the password on your own server.Make sure you change your code.It doesn't need to be a password if you can remember it.There is a random password generator.
Step 3: The table is called "sessions".
The "sessions" table is created by creating a table with 4 fields (id, set_time, data, session_key).The use of CHAR saves on processing power.
Step 4: Class can be created.
You need to enter the code below to start a new class.
Step 5: The function will be created.
Every time a new instance of an object is created using the'session' class, this function will be called.The function sets our custom session handler so it can be used as soon as the class is instantiated.Set our custom session functions.session_set_save_handler(array($ this, 'open'), array($this,' close'))); // Thisregister_shutdown_function
Step 6: The start_session function should be created.
If you want to start a new session with this function, use it instead of session_start.You can see the comments in the code.Make sure the session cookie isn't accessible via javascript.$httponly is true, and is used for the sessionGet a list of available hashes with the use of hash_algos.If the has function is set, $session_hash should be'sha 512'.The number of bits per character of the hash is called ini_set.The possible values are '4', '5' and '6'.The session should only use cookies, not URL variables.Set the parameters session_set_cookie_paramsA new key is generated in the database.Session_regenerate_id is true.
Step 7: You can create an open function.
When we start a new session, we use this function to connect to a database.Functions open,pass, andmysqli are used.
Step 8: Close function can be created.
When the sessions want to be closed, this function will be called.function close
Step 9: The read function needs to be created.
This function will be called when we try to access a session.We take advantage of prepared statements, not only for security, but also for performance, because there might be many calls to this function on a single page.We can execute the statement many times if we only prepare it once.Session data that is in the database is also decrypted.In our sessions, we are using a 128-bit cipher.function read($id), if(!isset($this->read_stmt))Limit 1; $this->read_stmt->bind_param('s', $id);
Step 10: Write function created.
When we assign a value to a session, this function is used.The data gets into the database with the help of the function.The function write($id, $data) is used to get a unique key.Return true, $this->w_stmt->bind_param('siss', 'id,' 'time')
Step 11: Make a destroy function.
The session is deleted from the database by this function.function destroy($id), if(!isset($this->delete_stmt))$this->delete_stmt->bind_param('s', $id); return true.
Step 12: Thegarbage collector function can be created.
The garbage collector function is called to remove old sessions.Session.gc_probability and session.GC_divisor are two configuration directives that determine the Frequency in which this function is called.function gc($max) if(!isset($this->gc_stmt)"); $old - $max; $this_stmt_bind_param('s') - return true;
Step 13: GetKey is a function that can be created.
This function can be used to get a unique key from the sessions table.If there is no session, it returns a new random key.Private function getkey($id) if(!isset($this->key_stmt))If($this->key_stmt) is the result, LIMIT 1.
Step 14: It is possible to create encrypting and decrypt functions.
The data of the sessions is protected with these functions, they use an encryption key from the database which is different for each session.We don't directly use that key, but we use it to make the key random.Private function encrypt($ data, $key)
Step 15: The class is over.
The classes have curly brackets.
Step 16: The sessions are being used with the custom session manager.
You need to include this on every page you want to access the sessions in order to start a new one.'; echo $_SESSION'.