Page 2 of 2

Posted: Thu May 18, 2006 2:40 pm
by Maugrim_The_Reaper
For example, if you use custom session-handling functions, the write function is called during script termination, so you can't debug it using echo.

PHP uses GET variable to store SID, which is sometimes undesirable. (Prone to session hijacking.) Disabling it is quite tricky, since GET is used only if cookies are not available, and there are countless ini options.

PHP tends to send session cookies to all users after you call session_start(). Personally, I like when user gets cookie only when there is real need for it. That's why my class has separate begin() and load() methods.
You should become a good Agile enthusiast and unit test...:) Just to note PHP will usually use both GET and COOKIE for the first visit to a domain. It then chooses which one to use (preferably COOKIE) based on whether a cookie variable could be set. I think this causes a little confusion when trying to disable GET completely.

Posted: Thu May 18, 2006 5:39 pm
by Ambush Commander
I haven't really read the thread yet, but here's my Session class. What it does is allows PHP to store everything in only one variable, minimizing session name crashes.

Code: Select all

<?php

//no seperation from SESSION globals... however, you could argue this is the
//mapper for that (an active record, essentially)...

class Session
{
    
    var $user_id;
    var $user_name;
    var $user_rights;
    var $lastaccess;
    
    var $_expiration = 86400;
    
    function Session($user_id, $user_name, $user_rights, $lastaccess) {
        $this->user_id      = $user_id;
        $this->user_name    = $user_name;
        $this->user_rights  = $user_rights;
        $this->lastaccess   = $lastaccess;
    }
    
    function getUserID()        {return $this->user_id;}
    function getUserName()      {return $this->user_name;}
    function getUserRights()    {return $this->user_rights;}
    function getLastaccess()    {return $this->lastaccess;}
    
    function sessionVariable() {
        return 'session';
    }
    
    function &newFromUser(&$user) {
        $user_id = $user->getID();
        $user_name = $user->getName();
        $user_rights = $user->getRights();
        $lastaccess = time();
        return new Session($user_id, $user_name, $user_rights, $lastaccess);
    }
    
    function &newFromSession() {
        if (empty($_SESSION[Session::sessionVariable()])) {
            return false;
        }
        header('Cache-Control: private, pre-check=0, post-check=0, max-age=0');
        return unserialize($_SESSION[Session::sessionVariable()]);
    }
    
    function update() {
        $_SESSION[$this->sessionVariable()] = $this->serialize($this);
    }
    
    function delete() {
        $_SESSION[$this->sessionVariable()] = serialize(false);
    }
    
    function isExpired() {
        return time() > $this->lastaccess + $this->_expiration;
    }
    
    function setLastaccess($time = false) {
        if (!$time) $time = time();
        $this->lastaccess = $time;
    }
    
    function serialize() {
        if ($this->isExpired()) {
            return serialize(false);
        }
        return serialize($this);
    }
    
    
    function _admin() {return ($this->user_rights == 'admin');}
    
    //Priviledges! Whee!
    
    function isRegistered() {return !is_a($this,'Session_Null');}
    
    function canAdminAccess() {return $this->_admin();}
    function canBookViewTrash() {return $this->_admin();}
    function canBookBypassCaptcha() {return $this->_admin();}
    function canBookDelete() {return $this->_admin();}
    function canBookEdit() {return $this->_admin();}
    function canBookViewSensitive() {return $this->_admin();}
    function canIndexReloadRandom() {return $this->_admin();}
    function canIndexViewExtra() {return $this->_admin();}
}

?>

Posted: Thu May 18, 2006 5:49 pm
by John Cartwright

Code: Select all

function delete() {
        $_SESSION[$this->sessionVariable()] = serialize(false);
    }
The only thing I can recommend is instead of setting the function to false is actually deleting the variable.. ie unset()

Posted: Thu May 18, 2006 5:51 pm
by Ambush Commander
Hahaha. That's quite strange. Must have to do with unconditional unserializes. I'll investigate.

Posted: Thu May 18, 2006 6:06 pm
by alex.barylski
Ambush Commander wrote:I haven't really read the thread yet, but here's my Session class. What it does is allows PHP to store everything in only one variable, minimizing session name crashes.

Code: Select all

<?php

//no seperation from SESSION globals... however, you could argue this is the
//mapper for that (an active record, essentially)...

class Session
{
    
    var $user_id;
    var $user_name;
    var $user_rights;
    var $lastaccess;
    
    var $_expiration = 86400;
    
    function Session($user_id, $user_name, $user_rights, $lastaccess) {
        $this->user_id      = $user_id;
        $this->user_name    = $user_name;
        $this->user_rights  = $user_rights;
        $this->lastaccess   = $lastaccess;
    }
    
    function getUserID()        {return $this->user_id;}
    function getUserName()      {return $this->user_name;}
    function getUserRights()    {return $this->user_rights;}
    function getLastaccess()    {return $this->lastaccess;}
    
    function sessionVariable() {
        return 'session';
    }
    
    function &newFromUser(&$user) {
        $user_id = $user->getID();
        $user_name = $user->getName();
        $user_rights = $user->getRights();
        $lastaccess = time();
        return new Session($user_id, $user_name, $user_rights, $lastaccess);
    }
    
    function &newFromSession() {
        if (empty($_SESSION[Session::sessionVariable()])) {
            return false;
        }
        header('Cache-Control: private, pre-check=0, post-check=0, max-age=0');
        return unserialize($_SESSION[Session::sessionVariable()]);
    }
    
    function update() {
        $_SESSION[$this->sessionVariable()] = $this->serialize($this);
    }
    
    function delete() {
        $_SESSION[$this->sessionVariable()] = serialize(false);
    }
    
    function isExpired() {
        return time() > $this->lastaccess + $this->_expiration;
    }
    
    function setLastaccess($time = false) {
        if (!$time) $time = time();
        $this->lastaccess = $time;
    }
    
    function serialize() {
        if ($this->isExpired()) {
            return serialize(false);
        }
        return serialize($this);
    }
    
    
    function _admin() {return ($this->user_rights == 'admin');}
    
    //Priviledges! Whee!
    
    function isRegistered() {return !is_a($this,'Session_Null');}
    
    function canAdminAccess() {return $this->_admin();}
    function canBookViewTrash() {return $this->_admin();}
    function canBookBypassCaptcha() {return $this->_admin();}
    function canBookDelete() {return $this->_admin();}
    function canBookEdit() {return $this->_admin();}
    function canBookViewSensitive() {return $this->_admin();}
    function canIndexReloadRandom() {return $this->_admin();}
    function canIndexViewExtra() {return $this->_admin();}
}

?>
It's crazy how differently each of us have developed a session class...

Clearly yours is more specialized than mine...as mine doesn't include ACL or anything...

Cheers :)

Posted: Fri May 19, 2006 3:25 am
by santosj
I just prefer to use $_SESSION the right way, since it is global and I don't have to do anything besides session_start();.