storing session data in database

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

storing session data in database

Post by ibolui »

hi, i have implemented the storage of session data into mysql database, as described in 'essential php security'.
i would like to ask how do i 'clean up' both the 'sessions' and 'sessions_keys' tables?
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Re: storing session data in database

Post by Oren »

It depends... what do you mean by "clean up"?
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: storing session data in database

Post by arjan.top »

gc defined in session_set_save_handler should delete expired sessions
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

Re: storing session data in database

Post by ibolui »

yup i want to delete expired sessions from both the table but somehow it isnt working. below are my codes.. is there anything wrong with it??

session_set_save_handler('_open', '_close', '_read', '_write', '_destroy', '_clean');

function _open() {
global $db;
return $db;
}

function _close() {
global $db;
return mysql_close($db);
}

function _read($id) {
global $db;

$algorithm = MCRYPT_BLOWFISH;
$mode = MCRYPT_MODE_CBC;

$id = mysql_real_escape_string($id);

$sql = "SELECT session_data FROM sessions WHERE session_id = '$id'";

if ($result = mysql_query($sql, $db)) {
if (mysql_num_rows($result)) {
$record = mysql_fetch_assoc($result);
// return $record['session_data'];
$data = base64_decode($record['session_data']);

$iv_size = mcrypt_get_iv_size($algorithm, $mode);

$ciphertext = substr($data, $iv_size);
$iv = substr($data, 0, $iv_size);

$crypt = new crypt();

$crypt->iv = $iv;
$crypt->ciphertext = $ciphertext;
$crypt->decrypt();

return $crypt->cleartext;
}
}

return '';
}

function _write($id, $data) {
global $db;

$expires = time();

$crypt = new crypt();

$crypt->cleartext = $data;
$crypt->generate_iv();
$crypt->encrypt();

$ciphertext = $crypt->ciphertext;
$iv = $crypt->iv;

$data = base64_encode($iv . $ciphertext);

$id = mysql_real_escape_string($id);
$expires = mysql_real_escape_string($expires);
$data = mysql_real_escape_string($data);

$sql = "REPLACE INTO sessions VALUES ('$id', '$expires', '$data')";

return mysql_query($sql, $db);
}

function _destroy($id) {
global $db;

$id = mysql_real_escape_string($id);

$sql = "DELETE FROM sessions WHERE session_id = '$id'";

return mysql_query($sql, $db);
}

function _clean($max) {
global $db;

$old = time() - $max;
$old = mysql_real_escape_string($old);

$sql = "DELETE FROM sessions WHERE session_expires < '$old'";

return mysql_query($sql, $db);
}
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: storing session data in database

Post by arjan.top »

expired sessions are deleted based on session.gc_divisor in php.ini, so if the value is 100, gc would delete expired sessions once for 100 requests
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

Re: storing session data in database

Post by ibolui »

so the cleaning up of expired sessions is automatically?

another thing.. i implemented the method of generating session key as follows.

function generate_session_key() {
global $db;
session_regenerate_id();
$_sess_id = session_id();
$ip = isset($_SERVER['REMOTE_ADDR']) ? htmlspecialchars($_SERVER['REMOTE_ADDR']) : '';
$sessionKey = sha1(uniqid(mt_rand(), TRUE) . $ip);

$sql = "REPLACE INTO sessions_keys VALUES ('$_sess_id', '$sessionKey')";
if (!mysql_query($sql, $db)) {
// error
}

$_SESSION['session_key'] = $sessionKey;
unset($sessionKey);
}


i realise that the sessions_keys tables has huge number of entries. how do i clean this up??
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: storing session data in database

Post by arjan.top »

ibolui wrote:so the cleaning up of expired sessions is automatically?
yes
i realise that the sessions_keys tables has huge number of entries. how do i clean this up??
update _destory and clean, so that you delete from table session_keys too
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

Re: storing session data in database

Post by ibolui »

update _destory and clean, so that you delete from table session_keys too
sorry i dont get what you mean :?
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: storing session data in database

Post by arjan.top »

delete session_key in _destroy and _clean
ibolui
Forum Commoner
Posts: 27
Joined: Thu May 26, 2005 9:41 am

Re: storing session data in database

Post by ibolui »

ohh.. but how do i identify which entries to delete?
sorry.. new to this :|
Post Reply