I use dynamically changing cookies in order to keep user logged in. To illustrate, after a successful login, login control function saves the user session info into
rememberme table and creates cookies with this info. The data kept in server are
expiration_date. If user having valid cookie (namely
expire time within cookies match with the data stored in
rememberme table) tries to access user-only accesible page, server creates a new cookie with different key, and default-period expiration time and updates this info inside
rememberme table. The cycle goes on this way. So, the user with valid cookie maintains logged in and extends his session expiration time with every request to the page.
My question is, how much is efficient to implement such session management style. Does this create a burden for server and database?
FYI, I use PHP/Mysql in Amazon EC2 micro Windows server for the
Why not use PHP sessions? They are designed for tasks just like this.
Using custom Sessions, I've found, is much much better than using PHP sessions. Using php sessions has caused random problems for me in the past. Especially if you're working with any third party programs. But, just in general, I love to have more control over my session handling, by dealing with my own sessions. I also, revalidate sessions, by updating the session id, comparing the user agent and ip address to help ensure the session wasn't hijacked, so these are definitely beneficial, in comparison to any overhead they create, which isn't much.
Just work on carefully testing your session handler for random user situations, to minimize bugs. Also, be sure to sanitize the information coming from the users $_SERVER variables, because those can be manipulated. And, another good practice, is to handle errors for any situation you can think of in your session handler to help prevent hijacks (as much as possible), and know immediately when and where a problem occurs (something you're not afforded in PHP sessions). Main advice, it's important, so make sure you do it right.