Re: session management with database: optimal parameters in php.ini

On 3 mar, 19:00, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@xxxxxxxxxxxxxxxx> wrote:
phicarre schreef:

I am developping one script for the "session management with database"
and I would like to know which parameters I must change in php.ini
according to these requirements:

- I am using the session_set_save_handler() function

good.

- I don't know if the client side uses or not the cookies

And you shouldn't care either. PHP will pass the sessionid to your
functions you use in session_set_save_handler().

- Several clients can access in the same time to the web application

That is normal.
They all have a different sessionid, so that is fine.

- The web application shall be secured against classical attacks

Meaning what excactly?

I wrote a few db-sessionstorage routine, and here a some things I would
have liked to know before. ;-)

1) Make sure you handle concurrency adequately in your routines.
If you finish the sessionhandling in the db, make a simple testpage to
test concurrency:
a) Make a htmlpage with 20 frames.
b) Put in every frames testdb.php
c) testdb.php does something like this:
<?php
  // your initstuff
  if (isset($_SESSION["count"])){
    $_SESSION["count"] = $_SESSION["count"] + 1;
  } else {
    $_SESSION["count"] = 1;
  }
echo $_SESSION["count"];
?>

Now go to that framed page in your browser: The result would be a
htmlpage with 20 frames that all hold different numbers (not necessarely
all in order.)

2) Make sure you protect yourself against SQL-inject attacks.
Mind that the sessionid comes from the client, thus it can be tampered
with. It might contain:
1'); DELETE FROM tblusers;

which you don't want to use in your query:
SELECT sessiondata FROM tblusers where (sessionid=$sessionid);

So normal paranoia applies here.

3) If you need inspiration:
a) ADODB (a database abstractionlayer) has a build-in sessionmanagement
module for database, written in PHP.http://www.phplens.com/adodb

4) If you use Postgres (which is a great database), you might have a
look at:http://nl.php.net/manual/en/book.session-pgsql.php

Good luck!

Regards,
Erwin Moller

--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare

Thank you for your answers.
Your first point is interesting because I don't know how to test
sessions for an multiusers environment. I don't understand "Make a
htmlpage with 20 frames". Could you explain for Firefox ...
If the test is compliant, can I conclude that I won't have problems
with multiple accesses ?
Point 2: I am aware of that !
Point 4. I am using mySQL
.

Relevant Pages

  • Re: session management with database: optimal parameters in php.ini
    ... PHP will pass the sessionid to your functions you use in session_set_save_handler. ... Make a htmlpage with 20 frames. ... ADODB (a database abstractionlayer) has a build-in sessionmanagement module for database, ...
    (alt.php)
  • Re: New SessionIds between PostBacks
    ... When it loads up first time I get a ... different SessionId and when I post back the information the sessionid is ... Frames on your page? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Sessions
    ... I need to implement an audit trail on a existing Database. ... connection to the sql and the userid. ... for me to know the sessionid that each TADOConnection has to MSSQL? ...
    (borland.public.delphi.database.ado)
  • Re: Get List of Session IDs
    ... create new class and make there function for saving sessionid to ... database and all the needed logic too to do the database stuff. ... and deleted dynamically as clients enter and leave your application. ...
    (microsoft.public.dotnet.framework.aspnet)