I am storing sessions in my database. Everytime a user logs in, I create a new row corresponding to the new session, generate a new session id and send it as a cookie to the browser. My session data looks something like this:
{
'user_id': 1234
'user_name': 'Sam'
...
}
When a request comes, I check whether a cookie with a session id is sent. If it is, I fetch session data from my database (or memcache) corresponding to that session id.
When the user logs out, I remove the session data from my database (and memcache), and delete the cookie from the user's browser too.
Notice that in my session data, I don't have something like logged_in: true. This is because if I find a session record in the database (or memcache) I deduce that the user is logged in, and if there is no session record found, the user is not logged in.
My question is: is this the right approach? Should I have a logged_in key in my session data? Is there any possibility that a session record may be present on the server where the corresponding user is actually NOT logged in? Are there any security implications in having or not having such a key?