Ive been working on a PHP project that requires a user to be tracked as they select various options on the site. I’m using session ids stored in a mysql database to track the selections. There is no login form and no vital data, payment details etc stored or passed with the session. I would like to know what should I do to ensure that the sessions are secure as possible?
As soon as the user hits the front page a session is generated for them.
<?php
session_start();
if (!isset($_SESSION['userid'])) {
$_SESSION['userid']=md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
}
?>
I use this session to track the user. Once the user selects an option the user is assigned an id and a row in the database table ‘users’. The session is then used as a lookup for that user to another table ‘options’. Once the user has finished selecting their options they finalise by clicking submit and the session is unset and destroyed. An email is sent with that customers options to the admin. I used sessions instead of simply a userID because I needed to make the variable site wide. I didn’t want to use global variables in my functions.
Any form data is sanitised by mysql_real_string, htmlentities as well as int() for expected integer values.
Any suggestion as to what else I need to do to keep it secure as possible?