I think that I figure dout how to do this:
When my user connect, after checking if he has the good username/password, a session key (a random long string) is created and put inside the DB. The same session_key is put inside the session.
If the user get out of my app without login off, when he comes back, if his session_key match one in the DB, the user is O.K and will connect as the user that have that session_key. If not, the session is closed, the user is rerouted to login. If there's no problem, a new session_key is created (to replace the old one).
I think it would be O.K., except for 2 things:
-How can I make the session_key disappear from DB after a certain time? I guess I should execute some code on the server, but how can I execute code on the server if nobody is using my app for a certain moment?
-If it's just the session_key, is it alright to use the cookie insted?
-Is it O.K. to just check if there's a session_key in the DB that correspond to the session_key in the session, or should I use something else to be sure? I will generate a random long string and crypt it the same way I do with password, so i think it will be secured enough and that it wouldn't be likely that the session_key be identical.
-insteed of using the username to get data from the DB, would it be O.K. to use the session_key (getStuffBySessionKey())?
