Creating database sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Creating database sessions

Post by kaisellgren »

Hi,

I would like to know the benefits of database sessions comparing to built in sessions. Built in sessions need cookies enabled on visitor's browser so that's the first benefit.

Also, any goodtutorials on creating database sessions? I need to create sessions for my application without needing to have cookies enabled on web browser.

Thank you.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Creating database sessions

Post by pickle »

kaisellgren wrote:I need to create sessions for my application without needing to have cookies enabled on web browser.
You can't. HTTP is stateless, which means that once I get my file, Apache/IIS/whatever your using for a webserver forgets about me. There is no way for it to know that a subsequent file request is from the same person. That's where sessions come in & work behind the scenes in your code - to remember who is who.

I use database sessions personally, but I'm not sure if I can think of any advantages to one over the other. I guess there's less code to write for using built in sessions.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

Thanks for your comments.

Can you give me any plain code (.zip?) of script that uses database sessions?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Heh. No ;)

This board (or at least the people I know on it) prides itself with encouraging members to help themselves first. If you want, I can outline the theory behind using database sessions, but I'm not going to do your work for you ;)
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

Heh, that's fine.

So, firstly I need to create new table into MySQL database:

session_id INT NOT NULL AUTO_INCREMENT,

Hmm, what else I need to add...

But what about the realtiming ? How do I know when user leaves? Do I just make the session to outdated if there has been more than 5minutes past last click on somewhere?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Creating database sessions

Post by Mordred »

pickle wrote:
kaisellgren wrote:I need to create sessions for my application without needing to have cookies enabled on web browser.
You can't.
Yes you can, by passing the session id as a get or post variable.

kaisellgren, storing sessions in file or database has no connection on how you identify a user (by session id passed in a cookie, or get/post). Read the chapter on sessions in the manual, it's pretty thorough and will answer both topics of session storage and session id-s.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

@~Mordred - Well, technically that's true. I guess I spoke in error. However, putting it as a GET variable in the URL is unsecure if someone happens to walk by the user's computer. Putting it in POST is do-able, but a pain in the butt - impractical at best (in my opinion).

@~kaisellgren - The minimum you need is the session id. In my implementation, I also associate the username with the session id. My implementation was built before I got on the job though, so I'm not sure why it's stored. The time, as you imagined, is also important. We have a 20 minute time out where I work. On every page load that uses the sessions, the `last updated` field is checked & if it's within the last 20 minutes, the page continues. The 'last updated' field is then updated to now. If the `last updated` field is older than 20 minutes, the user needs to re-authenticate.

Make sense?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

Yes makes a lot sense.

session_id INT NOT NULL AUTO_INCREMENT
username INT NOT NULL DEFAULT '1'
last_updated INT NOT NULL DEFAULT '0'

When user submits POST login and the code are correct, it adds new row into the above table with username and time(). Whenever user request a page, the table will be looked for username, if username found and the time() < last_updated+20*60 -> user has still session. If the time is too old, user needs re-authendication. ?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

You need to keep track of the session id as well. Otherwise, someone can easily hijack a session as long as they know the username. Making the session id a random string will make that much more difficult. So whenever a user requests a page, the table should be checked for the session id, not just the username.

You also need to handle the situation where someone requests a page but doesn't have a valid session period - not just an expired one.

Also, it would probably be better to use either strtotime() or MySQL date functions to add the 20 minutes, rather than + 20 * 60. Both PHP & MySQL will take care of daylight saving time & leap years & all that for you.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

id INT NOT NULL AUTO_INCREMENT
session_id NOT NULL DEFAULT '0'
username INT NOT NULL DEFAULT '1'
last_updated INT NOT NULL DEFAULT '0'

Do I put the information on the url or what should I do?

Like: index.php?psi=5834053945&username=pickle ?

And oh yeah, I know how to handle with times. My time example 20*60 was just a quick sample demonstration.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Look into setting cookies or sessions in PHP.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Useful Posts may be of interest.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

feyd wrote:Useful Posts may be of interest.
Thanks. Two good threads there :)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

However, putting it as a GET variable in the URL is unsecure if someone happens to walk by the user's computer.
@pickle, you seriously mean that people will shoulder-browse, remember and then copy a 32-character string? ;)
There are dangers, yes, of sessions being stolen from browser histories, caches, caching proxies, men-in-the-middle, but there is little practical difference for most of these "attacks" (though I agree that security-wise SECURE(cookie) > SECURE(POST) > SECURE(GET) )

@kaisellgren: choose a good long random string for session_id (uniqid() maybe)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

Thanks I'll do that.

Before I'll start on my own session system, can any of you tell me that are there any disadvantages when using database sessions instead of built in? What do you really suggest, using $_SESSIONs or db sessions?
Post Reply