We are having six web application Servers which is taking caring of load and availability. I am storing session login time in Database table to maintain session timeout and to prevent multiple login by same user. Due to this, if 1000 active users are there, every two minutes 1000 db hits will be there to check the session timeout. Our application is huge and has more load for the database and I don’t want to overload the db by this activity.
Few suggested that we can maintain in server side. If that particular server went down all the active users session will be gone and all must login again.
I don’t want to maintain the session in browser cookies due to security. Is there any other way to do this in client itself without security threat.
Can you suggest any other way which is secure and address the above issue in multiple server environment.
I think you’re either confusing session cookies with “remember me” cookies or haven’t got what your security team tried to explain.
Session cookies are valid for the duration of the session only. By default HTTPOnly flag is set so they could not be stolen via JavaScript. If stolen, these are becoming invalid fast.
“Remember me” cookies are valid for much longer and indeed, if stolen, that’s very bad.
In order to steal either session cookie or “remember me” cookie you need to perform man-in-the-middle attack which is not trivial in case you’re using HTTPS.
If you’ll turn off cookies for sessions, PHP will use GET-parameter which is, compared to cookie, is totally insecure. Could be easily hijacked with JavaScript.
