I have implemented the following:
There in the database table sessions fields current_session, long_session, user_id, and login_time.
Upon successful login generates two random strings. The first is written in standard PHP session and will current_session. The second is written to the user session cookie, and the hash of this string will be long_session. user_id - the user ID, login_time - time login.
Check whether the logged in user, as follows:
1. If the user has an active PHP session, check if it current_session if Yes, then the user is logged in.
2. If the user has no current session, but session is established cook, then searching for hash it in the database. If the entry is, and since the last login has passed is less than the specified amount of time (I use less than three months) then user_id take the rest of the data user and create the current session, the user is logged in.
When you logout just cleaning up the current current_session and long_session. If you want razlozhenii everywhere, cleaned all the value for user_id.
This approach allows us to strictly manage the sessions with a DB, but a standard mechanism for PHP sessions allows you to store a variety of information, like a csrf token, not littered base.
