Re: session management with database: optimal parameters in php.ini
- From: Erwin Moller <Since_humans_read_this_I_am_spammed_too_much@xxxxxxxxxxxxxxxx>
- Date: Tue, 03 Mar 2009 19:00:14 +0100
phicarre schreef:
I am developping one script for the "session management with database"
and I would like to know which parameters I must change in php.ini
according to these requirements:
- I am using the session_set_save_handler() function
good.
- I don't know if the client side uses or not the cookies
And you shouldn't care either. PHP will pass the sessionid to your functions you use in session_set_save_handler().
- Several clients can access in the same time to the web application
That is normal.
They all have a different sessionid, so that is fine.
- The web application shall be secured against classical attacks
Meaning what excactly?
I wrote a few db-sessionstorage routine, and here a some things I would have liked to know before. ;-)
1) Make sure you handle concurrency adequately in your routines.
If you finish the sessionhandling in the db, make a simple testpage to test concurrency:
a) Make a htmlpage with 20 frames.
b) Put in every frames testdb.php
c) testdb.php does something like this:
<?php
// your initstuff
if (isset($_SESSION["count"])){
$_SESSION["count"] = $_SESSION["count"] + 1;
} else {
$_SESSION["count"] = 1;
}
echo $_SESSION["count"];
?>
Now go to that framed page in your browser: The result would be a htmlpage with 20 frames that all hold different numbers (not necessarely all in order.)
2) Make sure you protect yourself against SQL-inject attacks.
Mind that the sessionid comes from the client, thus it can be tampered with. It might contain:
1'); DELETE FROM tblusers;
which you don't want to use in your query:
SELECT sessiondata FROM tblusers where (sessionid=$sessionid);
So normal paranoia applies here.
3) If you need inspiration:
a) ADODB (a database abstractionlayer) has a build-in sessionmanagement module for database, written in PHP.
http://www.phplens.com/adodb
4) If you use Postgres (which is a great database), you might have a look at:
http://nl.php.net/manual/en/book.session-pgsql.php
Good luck!
Regards,
Erwin Moller
--
"There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
.
- Follow-Ups:
- References:
- Prev by Date: session management with database: optimal parameters in php.ini
- Next by Date: Re: session management with database: optimal parameters in php.ini
- Previous by thread: session management with database: optimal parameters in php.ini
- Next by thread: Re: session management with database: optimal parameters in php.ini
- Index(es):
Relevant Pages
|
