NYCPHP Meetup

[Chris Hubbard]

All,
I'm back for more information.  I need to port a financial application.  
So it's important to make the session management as strong as possible.
One of the guys on the team advocates designing the application so it 
doesn't use sessions, basically passing a token in the URL that tells 
the server who the person is and where they are in the application.  I'm 
leaning toward database session management.
Who's right?  or are we both right/wrong?

The application when it's deployed will have two or three web servers 
handling the traffic, with a separate Oracle server.  We will have 
multiple servers for two reasons, first handling the load, and second to 
provide some failover.  So whatever mechanism we implement will need to 
scale.  We definitely don't want to make it easy for people to hijack 
the session.  And I'd like to make it so it takes Sterling more than 90 
seconds to get the keys to the kingdom.  The application will be running 
with SSL.

I don't have control over the client environment, so I can't force users 
to use a particular browser, or browser settings.  Can detect what they 
do have though (obviously).

One thought is to use both a token in the url and database sessions, 
where the token in the url is a checksum of the database session, and 
possibly vice versa. That way I can check both.  If I have a checksum in 
both, then I can compare the checksum.  Hmm.

Thoughts, suggestions, or even better what is the "best" way to do this?
Chris