The idea here is that each session will be unique. How does it identify a session? By the three values in the primary key: session_id
, ip_address
, and user_agent
.
If you think about it, this makes sense:
- If the
session_id
changes, then (obviously) you're dealing with a different (new) session. - If the
ip_addess
changes, then somebody's logging in from a different PC - this will be a new session. - If the
user_agent
value changes, then somebody's using a different browser - again, this will be a new session.
So imagine that only the session_id
is the primary key: changing either ip_address
or user_agent
would simply update the existing row for the session_id
. If that were the case, knowing only the session_id
would make it possible for me to continue the same session on another PC or with a different browser, which might be a security concern.
You also wrote "this table adds a row to every user's access to the system, so, it is very bloated". I'm not sure if you mean every time user A accesses the system it adds a row (which is false on my application, I just tested it) or if you mean it adds a row for each user accessing the system (which is true, and the way it's supposed to work - each user using the system has a session). Maybe you could clarify that last comment.