Search code examples
csessionsession-management

Implementing session management

I'm implementing session management and am currently storing 4 types of info in the db:

  1. user_id
  2. session_id (hash)
  3. insertion_time (for timeouts)
  4. persistency (if user has a persistent cookie)

It is possible for the user to have multiple sessions open with different devices. If the user logs out, how do I know which of those sessions I should delete?

What unique information is usually stored along with the info I've already got? IP address does not really work as it could be shared. Should I store the browser info, but what if it is the same?

Solution

  • You should only use a single session id/hash to recognise a session.

    When a user logs in (e.g. with username/password) you will tell them what their session id/hash is.

    When a user is browsing, they will tell you their session id/hash for every page load. That's how you know it's an existing logged in user, and not some random new user.

    When a user tries to loggout, they will still tell you their session id/hash. You can use that to find and delete the correct single session.