Secure PHP Development- P37 pot

Create a database called sessions using mysqladmincommand such as mysqladmin -u root -p create sessions.. You will need to know the username here root and password that is allowed to cre

Figure 5-10: How database-based sessions persist in Web server farms.

Listing 5-12 shows libsession_handler.php which implements all these functions.

Listing 5-12: lib.session_handler.php

<?php

error_reporting(E_ALL);

require_once(‘constants.php’);

require_once(‘class.DBI.php’);

require_once ‘DB.php’;

$DB_URL = “mysql://root:foobar@localhost:/sessions”;

$dbi = new DBI($DB_URL);

Continued

Web Server 1

Web Server 2

Load Balancer

Request for application X Session Database Server

Old Session File New Session File

User request for application X

Web Server 3

Web

Server n

Request 2 for application X User request for

application X

Listing 5-12 (Continued)

$SESS_LIFE = get_cfg_var(“session.gc_maxlifetime”);

function sess_open($save_path, $session_name) { return true;

}

function sess_close() { return true;

}

function sess_read($key) {

global $dbi, $DEBUG, $SESS_LIFE;

$statement = “SELECT value FROM sessions WHERE “

“sesskey = ‘$key’ AND expiry > “ time();

$result = $dbi->query($statement);

$row = $result->fetchRow();

if ($row) { return $row->value;

}

return false;

}

function sess_write($key, $val) {

global $dbi, $SESS_LIFE;

$expiry = time() + $SESS_LIFE;

$value = addslashes($val);

$statement = “INSERT INTO sessions “

“VALUES (‘$key’, $expiry, ‘$value’)”;

$result = $dbi->query($statement);

if (! $result) {

$statement = “UPDATE sessions SET “

“ expiry = $expiry, value = ‘$value’ “

“ WHERE sesskey = ‘$key’ AND expiry > “ time();

$result = $dbi->query($statement);

return $result;

}

function sess_destroy($key) {

global $dbi;

$statement = “DELETE FROM sessions WHERE sesskey = ‘$key’”;

$result = $dbi->query($statement);

return $result;

}

function sess_gc($maxlifetime) {

global $dbi;

$statement = “DELETE FROM sessions WHERE expiry < “ time();

$qid = $dbi->query($statement);

return 1;

}

session_set_save_handler(

“sess_open”,

“sess_close”,

“sess_read”,

“sess_write”,

“sess_destroy”,

“sess_gc”);

?>

Here the sess_open(), sess_close(), sess_read(), sess_destory(), and

sess_gc()methods use a DBI object from our class.DBI.phpclass to implement database-based session management To implement this database-based session management in our framework, we need to do the following:

1 Place the lib.session_handler.phpin the framework directory For example, if you’re keeping the class.PHPApplication.phpin the

/usr/php/framework directory, then you should put the

lib.session_handler.php in the same directory.

2 Create a database called sessions using mysqladmincommand such as

mysqladmin -u root -p create sessions You will need to know the username (here root) and password that is allowed to create databases.

Next create a table called sessionsusing the sessions.ddlscript with the mysql -u root -p -D sessions < sessions.sqlcommand Here’s the sessions.sql:

CREATE TABLE sessions ( sesskey varchar(32) NOT NULL default ‘’, expiry int(11) NOT NULL default ‘0’, value text NOT NULL,

PRIMARY KEY (sesskey) ) TYPE=MyISAM;

3 Modify the following line in lib.session_handler.phpto reflect your user name, password, and database host name:

$DB_URL = “mysql://root:foobar@localhost:/sessions”;

Here user name is root, password is foobar, and database host is local-host You should change them if they’re different for your system.

4 Add the following line at the beginning of the

class.PHPApplication.phpfile.

require_once ‘lib.session_handler.php’;

After you’ve completed these steps, you can run your login application and see that sessions are being created in the sessions table in the sessions database To view sessions in your sessions database, run mysql -u root -p -Dsessions When you’re logged into the sessions database, you can view sessions using queries such

as the following:

mysql> select * from sessions;

+ -+ -+ -+

| sesskey | expiry | value | + -+ -+ -+

| 3b6c2ce7ba37aa61a161faafbf8c24c7 | 1021365812 | SESSION_ATTEMPTS|i:3; | + -+ -+ -+

1 row in set (0.00 sec)

After a successful login:

mysql> select * from sessions;

+ -+ -+ -+

| sesskey | expiry | value

| + -+ -+ -+

| 3b6c2ce7ba37aa61a161faafbf8c24c7 | 1021365820 | SESSION_ATTEMPTS|i:3;SESSION_USERNAME|s:15:”joe@evoknow.com”; |

+ -+ -+ -1 row in set (0.00 sec) After logging out:

mysql> select * from sessions;

Empty set (0.00 sec)

You can see that the session is started after login.php and the session is removed once the user runs logout.php

Summary

In this chapter you learned about a central authentication system which involves a login and logout application and a central authentication database All PHP appli-cations in your intranet or Web can use this central authentication facility When

an application is called directly by entering the URL in the Web browser, it can check for the existence of a session for the user and if an existing session is found, she is allowed access or else she is redirected to the login form The logout applica-tion can be linked from any PHP applicaapplica-tion to allow the user log out at any time.

Once logged out the session is removed Having a central authentication system such as this helps you reduce the amount of code and maintenance you need to do for creating a seamless authentication process throughout your entire Web or intranet environment.