There is a php web application that uses a user authentication and authentication mechanism based on the use of sessions. The user enters the application under his account, where he fills out a form that writes data in mysql db.

In the database there is a field in which the user id is written, which when sending a form is taken conditionally from $_SESSION["user_id"] .

The fact is that when the form is filled for a long time, temporary files with information about the session are periodically killed on the server, and in the absence of additional checks, user_id = 0 is written to the database, which is not good. When adding a check to the script on the form submission, a notification is issued à la “something went wrong” and the user has to log in again and fill out the entire form.

How to avoid such situations?

  • cookies still do ...... no session - authorize by cookie. - Alexey Shimansky
  • Those. session mechanism in this use case is not applicable? Usually preferred to use the session due to the lack of trouble with security, etc ... - spbvalentine
  • I wrote "cookies still do" ..... not instead of a session ..... but ELSE ..... if a session is killed for some reason or other, then we are looking for a cookie. - Alexey Shimansky
  • What is the size of the form? 1) Break the form into smaller pieces, so as not to exceed the time in the session. 2) Raise the length of the session to reasonable limits ( stackoverflow.com/questions/8311320/… ). 3) If a person opened the form and went to smoke, then force to re-log normally! - E_p
  • @ Alexey Shimansky I don’t think that cookies are a good option, as there is more opportunity to make holes. - E_p

1 answer 1

The fact is that when the form is filled out for a long time, temporary files with information about the session are periodically killed on the server

This problem must be solved, then this question will be irrelevant and a dozen more, with whom you have not yet encountered.

With the default PHP settings this does not happen! If a session (i.e., session cookie or file) disappears due to your settings - analyze what you are changing and find another solution.

You can store user_id directly in cookies, but with the lifetime of a cookie, you can also jar on cookies. So I advise you not to seek a workaround, but to cure the disease.

PS When user_id is unknown, it turns out that it is unauthorized to add entries! It is necessary to check such things when processing the request.