Session security and user tracking

Ive been working on a PHP project that requires a user to be tracked as they select various options on the site. I’m using session ids stored in a mysql database to track the selections. There is no login form and no vital data, payment details etc stored or passed with the session. I would like to know what should I do to ensure that the sessions are secure as possible?

As soon as the user hits the front page a session is generated for them.


if (!isset($_SESSION['userid'])) {
	$_SESSION['userid']=md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);

I use this session to track the user. Once the user selects an option the user is assigned an id and a row in the database table ‘users’. The session is then used as a lookup for that user to another table ‘options’. Once the user has finished selecting their options they finalise by clicking submit and the session is unset and destroyed. An email is sent with that customers options to the admin. I used sessions instead of simply a userID because I needed to make the variable site wide. I didn’t want to use global variables in my functions.

Any form data is sanitised by mysql_real_string, htmlentities as well as int() for expected integer values.

Any suggestion as to what else I need to do to keep it secure as possible?

Why do you generate userid in this way? I think you could as well use session_id() as userid. session_id is generated by php automatically when a session is initialised so no need to generate another id - unless you have some specific need for the userid to be different.

Sounds fine to me. But you don’t need to use htmlentities for sanitising, mysql_real_escape_string is enough. But then use htmlentities/htmlspecialchars whenever you output string data to the browser as part of html.

Cheers, security is always my biggest headache. Wish evil people didn’t hack but I suppose you can’t have everything.