Best Practice - Session Handling / Timeout

Question

Best Practice - Session Handling / Timeout

What is the best practice for handling sessions and timeout on a C ++ server with MySQL.

My C ++ server generates a session GUID and sends it to the Client-Browser as a Set-Cookie.

Should I ever stand a session?

Should I keep the session GUID in my MySQL user table?

When the user does something, should I update the timestamp in the table or do I need to save the sessions and the last action directly on the C ++ server?

How should I handle the "Stay logged in" session session GUID never expires? (It could be a big security gap)

+4

c ++ mysql cookies session

RaphaelH Mar 28 '13 at 8:00

source share

1 answer

Bruno grieder · Accepted Answer · 2013-03-28T08:55:22+0000

I can't help you with the C ++ part, but here are a few pointers on sessions (server side):

Session object must support at least
- last call time (request was made)
- its expiration time, which is calculated each time it is accessed, adding the current time to the maximum downtime (maximum time during which access is not performed until the session expires)
For each access, the expiration time stored in the Session object is compared with the current time to determine if the session has expired. If so, the session is invalid and the session object is deleted from the session manager cache. in the case of the web server 302 is sent back to the client and the cookie has expired.
The session manager can implement a session cache that is either in memory or stored on disk. Saving it to disk provides session recovery in the event of a server restart. The cache can also use a distributed cache (for example, Memcache), which allows multiple servers in a cluster to share Session objects and provide load balancing across servers.

Best Practice - Session Handling / Timeout

More articles: