1

I'm working on a session management class, which involves log ins and mySQL. The php documentation says that the read() method is called when session_start() is called or when the session is automatically started. When is "automatically started"? Also what is the difference between the open() method and read()?

I have this code snippet, if it helps at all, and wondering where session_start() belongs, or is it fine where it is. (The entire code doesn't work the way I want it to, resetting the session every time, which I don't know why.) 

public function __construct($conn) {
    $this->conn = $conn;

    # Set up the handler
    session_set_save_handler(
        array($this, '_session_open_method'), 
        array($this, '_session_close_method'), 
        array($this, '_session_read_method'), 
        array($this, '_session_write_method'), 
        array($this, '_session_destroy_method'), 
        array($this, '_session_gc_method')
    );


    # Check the cookie passed - if one is - if it looks wrong we'll
    # scrub it right away
    $strUserAgent = $_SERVER["HTTP_USER_AGENT"];
    if (isset($_COOKIE["PHPSESSID"])) {
        # Security and age check
        $this -> php_session_id = $_COOKIE["PHPSESSID"];

        #$stmt = "select id from http_session where ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) <  " .  $strUserAgent .$this->session_lifespan . " seconds) AND user_agent='" . "' AND ((now() - last_impression) <= '".$this->session_timeout." seconds' OR last_impression IS NULL)";
        #$stmt = "SELECT id FROM http_session WHERE ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) < '" ./*$strUserAgent .*/$this->session_lifespan . "') AND user_agent = '" . $strUserAgent . "' AND ((now() - last_impression) <= '".$this->session_timeout . "' OR last_impression IS NULL)";
        $stmt = "SELECT id FROM http_session WHERE ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) < " ./*$strUserAgent .*/$this->session_lifespan . ") AND user_agent = '" . $strUserAgent . "' AND ((now() - last_impression) <= ".$this->session_timeout . " OR last_impression IS NULL)"
        ;
        //echo $stmt;
        $result = $this -> conn -> query($stmt);

        if (!$result -> fetchColumn()) {
            # Set failed flag
            $failed = 1;
            # Delete from database - we do garbage cleanup at the same time
            $maxlifetime = $this -> session_lifespan;
            $result = $this -> conn -> query("DELETE FROM http_session WHERE (ascii_session_id = '" . $this -> php_session_id . "') OR (now() - created > '$maxlifetime seconds')");
            #print '<br/>';
            #var_dump($result->rowCount());
            # Clean up stray session variables
            //$result = $this -> conn -> query("DELETE FROM session_variable WHERE session_id NOT IN (SELECT id FROM http_session)");
            # Get rid of this one... this will force PHP to give us another
            unset($_COOKIE["PHPSESSID"]);
        }
    }

    # Call the session_start method to get things started
    # Set the life time for the cookie
    session_set_cookie_params($this->session_lifespan);
    session_start();        
}

Thank you in advance!
Edits:
Yes, I am aware that an sql injection can occur by the session identifier, but that isn't my focus now. Thanks Loz!
This code actually came from a book, Professional PHP6.

Improve this question
4
  • 1
    You know that its possible to set $_SERVER["HTTP_USER_AGENT"] to an sql injection value right? Commented Feb 13, 2014 at 5:11
  • make sure you're thinking about concurrency when writing your own session handler. Commented Feb 13, 2014 at 5:21
  • @rambo How and why so? Examples of why? Commented Feb 13, 2014 at 22:19
  • @jasonszhao sorry, I don't feel like preparing an answer for you. But, you should be able to google for 'php session concurrency' and learn more. Commented Feb 16, 2014 at 0:01

1 Answer 1

Reset to default
1

There is a key on php.ini config called session.auto_start you can set it to 1 to make your session start automaticaly on request startup. By default it is set to 0.

Also the open() method is called before the read() method and the first one must return only true if the session was started succesfully, or false if not. The read() method must always return a session encoded (serialized) string.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What do you mean exactly by "request startup"?
I think it's every time you do a request to the server, you can use this if all your requests use sessions, but i think anything else then that could cause an overload

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.