I have created sessions table for login system and when user login successfully, then a random session key is generated and associated with the user id of logged in user and, in sessions table i added a expirytime column whose default value is timestamp of current + one hour later , i.e if time is 17:10:32 then in that column time will be 18:10:32. All this is added in database. upon login the session key is checked and this time is checked by this command: "SELECT * FROM active_sessions where session_key = :asession and expirytime > NOW()"
My question is that in a case when session is expired (i.e expirytime column's time is expired), then is it possible that if someone changes his computer time then my query above will become true, and expired session will be used.
And secondly is there anyway through which a session works only from the device through which it is created, (to prevent stealing of cookies and using them in other device). Thank You
Now() would return the server time, so a user changing local time would not affect the expiry flow.
As per ensuring the session works only for the initiating machine, would might want to do few things:
These would not give you 100% protection but you'll have something to start with.