SitePoint Sponsor

User Tag List

Results 1 to 1 of 1
  1. #1

    Join Date
    Oct 2003
    Location
    €uroLand
    Posts
    1,340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    User-Level Session System

    Inspired by this thread and curious about a session system itself I worked on a purely user-level one myself and was surprised to find out that it was rather easy to implement. Of course because of its nature there are certain convenient automatisms not available (auto globals, auto storing of session data, the need to globalise the session array). Now I am not suggesting it as replacement (although I consider it even as slightly more secure due to the agent and language check) but I would like it to be the base of a discussion of what could be improved or changed about sessions.

    I attached the complete code along with the database schema and a demo.

    vsession_start() is the equivalent to session_start() and retrieves from the database the session data associated with the given session id. If this fails due to an invalid or non-existent session id it issues a new one and sends it as cookie to the client.
    PHP Code:
    function vsession_start()
    {
        global 
    $_VSESSION;
        global 
    $VSID;
        
    $create_session=true;

        
    // Activate this code block for a PHP identical session caching
    /*    header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
        header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
        header('Pragma: no-cache');*/

        
    vsession_db_connect();

        
    // Sessions with an idle time of 15 minutes are removed
        
    mysql_query('DELETE FROM sessions WHERE UNIX_TIMESTAMP()-lastaccess>'.(60*15));

        if (isset(
    $_COOKIE[COOKIE_NAME]))
        {
            
    $VSID=mysql_escape_string($_COOKIE[COOKIE_NAME]);

            
    $result=mysql_query('SELECT secval, data FROM sessions WHERE sid="'.$VSID.'"');

            
    $data=mysql_fetch_row($result);
            if (
    $data)
            {
                if (
    $data[0] && md5($_SERVER['HTTP_ACCEPT_LANGUAGE'].$_SERVER['HTTP_USER_AGENT'])!=$data[0]) exit('Possible session take-over');

                
    $_VSESSION=unserialize($data[1]);

                
    mysql_query('UPDATE sessions SET lastaccess=UNIX_TIMESTAMP() WHERE sid="'.$VSID.'"');

                
    $create_session=false;
            }
        }

        if (
    $create_session)
        {
            if (isset(
    $_SERVER['HTTP_ACCEPT_LANGUAGE']) && isset($_SERVER['HTTP_USER_AGENT'])) $secval=md5($_SERVER['HTTP_ACCEPT_LANGUAGE'].$_SERVER['HTTP_USER_AGENT']); else $secval='';

            
    $VSID=md5(time());
            
    setcookie(COOKIE_NAME,$VSID);

            
    mysql_query('INSERT INTO sessions VALUES ("'.$VSID.'", "'.$secval.'", UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), "a:0:{}")');
        }

        
    mysql_close();

    There is no PHP equivalent as PHP does this automatically when the script ends. vsession_write() needs to be called after you have set the last session data value and stores the entire data array serialised in the database.
    PHP Code:
    function vsession_write()
    {
        global 
    $_VSESSION;
        global 
    $VSID;

        
    $data=mysql_escape_string(serialize($_VSESSION));

        
    vsession_db_connect();
        
    mysql_query('UPDATE sessions SET data="'.$data.'" WHERE sid="'.$VSID.'"');
        
    mysql_close();

    The equivalent to session_destroy() .... it deletes the cookie at the client and removes the associated data from the database.
    PHP Code:
    function vsession_end()
    {
        global 
    $_VSESSION;
        global 
    $VSID;

        
    setcookie(COOKIE_NAME,'');

        
    $_VSESSION=array();

        
    vsession_db_connect();
        
    mysql_query('DELETE FROM sessions WHERE sid="'.$VSID.'"');
        
    mysql_close();

    Attached Files Attached Files


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •