SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    Can we go to a 48 hour day?
    Join Date
    May 2002
    Location
    MI
    Posts
    906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    advice on using db with sessions

    I have been thinking about trying out using the adodb session code for managing sessions on the server rather than in the standard sessions. The main purpose would be to help security on shared hosts and I'm curious how the speed compares.

    Has anyone used this? Does anyone have any comparisons of alternative systems (non-adodb) or know of any speed comparisons?

    Thanks for the tips.
    mitechie.com
    "Techies just think a little differently
    ...at least that is what they keep telling me."

  2. #2
    Resident Java Hater
    Join Date
    Jul 2004
    Location
    Gerodieville Central, UK
    Posts
    446
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    While security is an issue, there are other things you can do (such as adapt the session id, use special form id's, blah blah blah to help with security, not to mention you should avoid saving too much personal stuff in sessions).

    A major reason for sessions being put in the DB is to help distribute an application across several webservers using a single DB server

  3. #3
    throw me a bone ... now bonefry's Avatar
    Join Date
    Nov 2004
    Location
    Romania
    Posts
    848
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    do not use DB-based sessions
    the session handler has always been buggy. For example (I don't know if the bug is still active) when I last tried to implement my own session handler the garbage collector was never called.
    Use the default handler and never record important data in the session. The most usefull thing about a session is that session ID which you can use to make a connection between a user ID and the session in the database on login for example. That way, to check if a user is logged in, you check in the database and not in an insecure session var.

  4. #4
    SitePoint Enthusiast
    Join Date
    Feb 2004
    Location
    Montreal
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know that this is a little OT, but bonefry, could you elaborate on some of those session problems you have encountered. I've got a custom session handler that has been having some very hard to trace bugs. The most annoying of which is that sometimes url's are modified to have the PHPSESSID appended, and other times they are not. As soon as the url's are modified the session dies upon the next request. Can't for the life of me figure it out.

  5. #5
    SitePoint Addict
    Join Date
    May 2003
    Location
    The Netherlands
    Posts
    391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by b1ind
    I know that this is a little OT, but bonefry, could you elaborate on some of those session problems you have encountered.
    Manual (session_set_save_handler)

  6. #6
    SitePoint Enthusiast
    Join Date
    Feb 2004
    Location
    Montreal
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, thank you for the response, but that was the first place I looked when I went ahead and built a session handler. I was more curious to know if there were problems that someone knew of not listed on the site.

  7. #7
    SitePoint Addict
    Join Date
    May 2003
    Location
    The Netherlands
    Posts
    391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I decided not to use the session_set_save_handler directive after reading the users' comments on the manual; too bogus for my taste, as bonefry indicates. That's why I pointed you in that direction.

    Obviously you have come to a different conclusion while reading the same information.

  8. #8
    SitePoint Addict pachanga's Avatar
    Join Date
    Mar 2004
    Location
    Russia, Penza
    Posts
    265
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bonefry
    do not use DB-based sessions
    How would you share session data between several servers then?

  9. #9
    SitePoint Addict timvw's Avatar
    Join Date
    Jan 2005
    Location
    Belgium
    Posts
    354
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mount the session.save_path through nfs?

  10. #10
    SitePoint Addict
    Join Date
    Apr 2005
    Location
    San Diego, CA
    Posts
    205
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've been using db sessions for 5 years and it works fine. There was a version of PHP4 that had a bug but that's long been fixed. I wrote my own handler functions that do a bunch of setup stuff like verifying the userid, garbage collection (mine runs just fine), database cleanup, etc. all with no problems.

    Sessions in themselves are not the problem, it's usually poor admin or coding practices. Where you'll run into problems is usually one of these areas;

    - Lack of understanding of the system as a whole including server access, network setup, and how users use the system. There are too many possible issues here but good administration skills are invaluable.

    - Lack of understanding of the code leaving holes or session variables floating around that shouldn't be. I use specific session var killers in some sections of my code to prevent floaters.

    - Lack of understanding of security in general. I've seen code where the username and/or password or some other identifying information are right in the HTML or URL. That's a big no-no. It might help to map out the security policy and decide where sessions is okay to use and where it is inappropriate to use. Also, how you setup and cleanup sessions is extremely important. I've seen sites where sessions could be hijacked, don't let that happen.
    I study speed waiting. I can wait an entire hour in 10 minutes.

  11. #11
    SitePoint Zealot
    Join Date
    May 2003
    Location
    Midwest
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Same here, have never had a problem with database sessions
    Cyberlot Technologies Group
    FlashUnity - PHP Based Flash communications server


  12. #12
    SitePoint Addict pachanga's Avatar
    Join Date
    Mar 2004
    Location
    Russia, Penza
    Posts
    265
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by timvw
    mount the session.save_path through nfs?
    I was thinking about this approach also but never tried it though. We've always used db for persisting sessions and never faced any problems about it.

    However it would be very interesting to hear about nfs implementation. Anybody tried it? Does it really make any sense to use nfs for that?

  13. #13
    SitePoint Zealot
    Join Date
    May 2003
    Location
    Midwest
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That would not work as you would have problems with data locking and corruption. Samba does not handle file locking gracefully.
    Cyberlot Technologies Group
    FlashUnity - PHP Based Flash communications server


  14. #14
    SitePoint Addict timvw's Avatar
    Join Date
    Jan 2005
    Location
    Belgium
    Posts
    354
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    samba <=> nfs

  15. #15
    SitePoint Addict
    Join Date
    May 2003
    Location
    The Netherlands
    Posts
    391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by PHPCamp.com
    ... Where you'll run into problems is usually one of these areas ...
    I'm sorry to say that, although by no means an expert, my decision not to use the session_set_save_handler directive has nothing to do with a lack of understanding but rather with a matter of implementation.

    I'm on the stage of building my own framework (yep, yet another framework) and after reading several comments on this issue I have decided I won't be using it. That does not mean I won't be able to store my session data in a DB, but just that I won't pass my methods to the PHP handler.

    AFAIS, there should not be a problem at all to invoke my own methods instead of giving PHP control to manage my session.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •