Building a session <-> database handler class - Part 1 of 2

Sydney PHP Group presentation - sydphp.org

It's recommended to point a browser at http://php.net/sessions during this presentation

What is a session?

It's a stored repository of data that can exist independently of the current script. Session data can be called upon at any time via the $_SESSION array.
Session data is preserved across subsequent accesses to a script without the need to invoke other methods of persistent data transfer (such as via the URL using $_GET or via form posts using $_POST)
Sessions can either be for the term of a visit to the site, have a preset expiry date or have an open ended expiry (permanent)
Session data can be stored:
- In a cookie on the browser - useful for non secure data (we'll see the reasons for this later on)
- On the webserver - somewhat secure but less scalable
- On a separate server to the web server, such as a database server - both secure and scalable
The session id can be propagated via a cookie or via the URL (session.trans_sid). The class described here uses the cookie method.

How does PHP store it's session data?

When using cookies, the PHP session management library^* stores session data remotely. This data is accessible via a named cookie that contains a unique session id. $_COOKIE['mycookie'] = "hv1ku07kqucvs1vvdd64fhi237"

The unique session id is initially sent from PHP to the browser. On subsequent requests the browser sends this data back to the server.

^* You can still store data locally in a cookie using setcookie but this would then be insecure. You would not want to store a credit card number in a local cookie!

Which data storage system?

Any system that PHP can communicate with:

MySQL
PostgreSQL
Microsoft SQL Server
Oracle
sqlite
LDAP
XML
CSV (why?)

Why use a database?

Isn't that more complex than needed?

No! - storing session data in a database is very simple using PHP's built in session handling functions. Additionally there are enormous benefits:

Excellent solution for load balanced sites - those that are spread across a number of web servers
Session data is accessible by any application and server with access to the database server
Much more secure than session data stored on a shared web server. PHP usually stores it's session data in /tmp or similar
Less risk of lost data - easy database backups vs filesystem backups
Secure - your session data's security is governed by your database server security (make your database server secure if it isn't already)
Integrate third party applications into your site - eg. single sign on

The parts

A database server
A web server with PHP installed (preferably a recent version)
Access to the PHP session handling functions
Access to the PHP ini parameters for sessions, via ini_set()
A class to interact with the database server

PHP's session handling functions

Manual reference : C. Session Handling Functions

Define a user level storage function : session_set_save_handler()
Usage : bool session_set_save_handler ( string open, string close, string read, string write, string destroy, string gc), executed in the following order:
- open : open a session storage connection
- read : get session data from storage
- destroy : delete session data (invoked by developer)
- gc : garbage cleanup of stale session data
- write : send session data to storage
- close : close the session storage connection
Note : the write and close handlers execute after the output stream is closed

The above handlers, apart from destroy(), are auto-invoked by PHP. You do not need to call them.

Designing the session object

Objective : drop in to your code for instant session handling

Sample programming interface idea

require_once('Session.php');//contains a class called Session $session = new Session();

constructor

Defines the session handling properties and database information.

Methods

Implement various session related activities such as setting session handlers, starting sessions, checking session data

Six examples

Example 1 : starting a session
Example 2 : start the session, write a string
Example 3 : start the session, write multiple data types
Example 4 : start the session, destroy it
Example 5 : start multiple sessions #1
Example 6 : start multiple sessions #2

Looking under the hood : the class library

In Part 2

Security : making it as secure as possible
An example login/logout site

Response Headers - http://sessiondb.miso/example1.php

Date: Wed, 01 Feb 2006 12:14:11 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.1.1
Set-Cookie: default=as4a73vea425oh0l506b81l4235chbsq; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1858
Connection: close
Content-Type: text/html; charset=UTF-8

200 OK

content © Sydney PHP Group • 2006

Sydney PHP Group - A session database handling class - 1 of 2