It sounds like you've got the basics covered. However, if you're doing that all manually, then you are effectively just implementing your own $_SESSION
, and not taking advantage of the fact that it can already do all that for you.
If you want to use a database to handle a session, you can override the default session handling with your own. Take a look at session_set_save_handler(). I do this in my apps.
class SessionHandler
{
public function open($save_path, $session_name)
{
$this->sessionName = $session_name;
return(true);
}
public function close() {
//stuff
}
public function read($id) {
$expiretime = date("Y-m-d H:i:s",time() - $this->maxLifeTime);
$sql = "SELECT * FROM sessions where sessionid='".$this->db->escapeData($id)."' AND lastupdated>='".$expiretime."' LIMIT 1";
$result = $this->db->query($sql);
//etc.
}
//etc.
public function setAsSessionHandler()
{
session_set_save_handler(
array($this,'open'),
array($this,'close'),
array($this,'read'),
array($this,'write'),
array($this,'destroy'),
array($this,'gc')
);
}
}
$sessionHandler = new SessionHandler();
$sessionHandler->setAsSessionHandler();
You can have all the functionality you just described that you've implemented yourself by using this, but still have the power of $_SESSION to do it for you.
For instance, if you wanted to add an IP check to see if the session is still valid before you start it, you can add that as part of the "open" function. If you wanted to write the session data to ten different databases (not that you would), you could accomplish this in the 'write' function.
Those functions are all used based on how you use $_SESSION, and by putting them into a simple class, you can manage how it works very effectively.
You'll see that the session id is a parameter passed to the read/write/destroy functions, and you'll still manage this the same way using your GUID generation routine. However, you could stick the guid generation and checks into this session manager class and simply have the open() function do them. Centralized, no muss, no fuss.