Back To Programming / Scripting / Coding Forum

Make Your Sessions More Secure

  • astkboy2008
  • Born
  • Born
  • No Avatar
  • Joined: Dec 29, 2009
  • Posts: 3
  • Status: Offline

Post January 6th, 2010, 5:48 am

Storing session data in a MySQL required a php class. This class implements a new PHP session handler that can replace the default PHP session handler by storing session data in a MySQL database table.

The session handler works just by creating an object of this class. After that, applications just need to use the same code to store and retrieve session variables. How can I use it? It's very easy - just see this example:

Code: [ Select ]
<?php

  // first create the required mySQL table that is used by this class
  // you can do that by running in mySQL the "session_data.sql" file
  // from the "install" folder!
  
  // change the next values to match the setting of your mySQL database
  $mySQLHost = "localhost";
  $mySQLUsername = "username";
  $mySQLPassword = "password";
  
  // this is the name of the database where you created the table
  // used by this class
  $mySQLDatabase = "database";
  
  $link = mysql_connect($mySQLHost, $mySQLUsername, $mySQLPassword);

  if (!$link) {

    die ("Could not connect to database!");

  }

  $db = mysql_select_db($mySQLDatabase, $link);

  if (!$db) {

    die ("Could not select database!");

  }

  // include the session manager class
  require "../class.dbsession.php";
  
  // instantiate a new session object
  // note that you don't need to call the session_start() function
  // as it is called automatically when the object is instantiated
  $session = new dbsession();

  // from now on, use sessions as you would normally
  // the only difference is that session data is no longer saved on the server
  // but in your database, making the data in it more secure
  
  print_r("
    The first time you run the script there should be an empty array (as there's nothing in the
\$_SESSION array)<br />
    After you press \"refresh\" on your browser you will se the values that were
written in the \$_SESSION array<br>
  ");
  print_r("<pre>");
  print_r($_SESSION);
  print_r("</pre>");

  // add some values to the session
  $_SESSION["value1"] = "hello";
  $_SESSION["value2"] = "world";
  
  // now check the table and see that there is data in it!
  
  // to completely delete a session uncomment the following line
  
  //$session->stop();
?>
  1. <?php
  3.   // first create the required mySQL table that is used by this class
  4.   // you can do that by running in mySQL the "session_data.sql" file
  5.   // from the "install" folder!
  6.   
  7.   // change the next values to match the setting of your mySQL database
  8.   $mySQLHost = "localhost";
  9.   $mySQLUsername = "username";
  10.   $mySQLPassword = "password";
  11.   
  12.   // this is the name of the database where you created the table
  13.   // used by this class
  14.   $mySQLDatabase = "database";
  15.   
  16.   $link = mysql_connect($mySQLHost, $mySQLUsername, $mySQLPassword);
  18.   if (!$link) {
  20.     die ("Could not connect to database!");
  22.   }
  24.   $db = mysql_select_db($mySQLDatabase, $link);
  26.   if (!$db) {
  28.     die ("Could not select database!");
  30.   }
  32.   // include the session manager class
  33.   require "../class.dbsession.php";
  34.   
  35.   // instantiate a new session object
  36.   // note that you don't need to call the session_start() function
  37.   // as it is called automatically when the object is instantiated
  38.   $session = new dbsession();
  40.   // from now on, use sessions as you would normally
  41.   // the only difference is that session data is no longer saved on the server
  42.   // but in your database, making the data in it more secure
  43.   
  44.   print_r("
  45.     The first time you run the script there should be an empty array (as there's nothing in the
  46. \$_SESSION array)<br />
  47.     After you press \"refresh\" on your browser you will se the values that were
  48. written in the \$_SESSION array<br>
  49.   ");
  50.   print_r("<pre>");
  51.   print_r($_SESSION);
  52.   print_r("</pre>");
  54.   // add some values to the session
  55.   $_SESSION["value1"] = "hello";
  56.   $_SESSION["value2"] = "world";
  57.   
  58.   // now check the table and see that there is data in it!
  59.   
  60.   // to completely delete a session uncomment the following line
  61.   
  62.   //$session->stop();
  63. ?>


and the session will store in the mysql after that
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post January 6th, 2010, 5:48 am

  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Joined: Jul 25, 2005
  • Posts: 2735
  • Loc: Nashville, TN
  • Status: Offline

Post January 6th, 2010, 6:37 am

I've edited your post for organization and meaningful content. If you would like to continue your example and share the required class code here as well, I am ok with that, but please do not post threads only to redirect to your personal page. We're about learning here - not marketing.

The required file, class.dbsession.php:
Code: [ Select ]
<?php

/**
* A class to handle sessions by using a mySQL database for session related data storage providing
better
* security then the default session handler used by PHP.
*
* To prevent session hijacking, don't forget to use the {@link regenerate_id} method whenever you
do a
* privilege change in your application
*
* <i>Before usage, make sure you use the session_data.sql file from the
<b>install</b> folder to set up the table
* used by the class</i>
*
* After instantiating the class, use sessions as you would normally
*
* This class is an adaptation of John Herren's code from the "Trick out your session
handler" article
* ({@link http://devzone.zend.com/node/view/id/141}) and Chris Shiflett's code from Chapter 8,
Shared Hosting - Pg 78-80,
* of his book - "Essential PHP Security" ({@link http://phpsecurity.org/code/ch08-2})
*
* <i>Note that the class assumes that there is an active connection to a mySQL database and
it does not attempt to create
* one. This is due to the fact that, usually, there is a config file that holds the database
connection related
* information and another class, or function that handles database connection. If this is not how
you do it, you can
* easily adapt the code by putting the database connection related code in the "open"
method of the class.</i>
*
* This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 2.5
License.
* To view a copy of this license, visit {@link http://creativecommons.org/licenses/by-nc-nd/2.5/}
or send a letter to
* Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
*
* For more resources visit {@link http://stefangabos.blogspot.com}
*
* @author   Stefan Gabos <ix@nivelzero.ro>
* @version  1.0.1 (last revision: August 11, 2006)
* @copyright (c) 2006 Stefan Gabos
* @package  dbSession
*/

error_reporting(E_ALL);

class dbSession
{

  /**
   * Constructor of class
   *
   * Initializes the class and starts a new session
   *
   * There is no need to call start_session() after instantiating this class
   *
   * @param integer   $gc_maxlifetime   the number of seconds after which data will be seen
as 'garbage' and
   *                     cleaned up on the next run of the gc (garbage
collection) routine
   *
   *                     Default is specified in php.ini file
   *
   * @param integer   $gc_probability   used in conjunction with gc_divisor, is used to
manage probability that
   *                     the gc routine is started. the probability is
expressed by the formula
   *
   *                     probability = $gc_probability / $gc_divisor
   *
   *                     So if $gc_probability is 1 and $gc_divisor is 100
means that there is
   *                     a 1% chance the the gc routine will be called on
each request
   *
   *                     Default is specified in php.ini file
   *
   * @param integer   $gc_divisor     used in conjunction with gc_probability, is used to
manage probability
   *                     that the gc routine is started. the probability is
expressed by the formula
   *
   *                     probability = $gc_probability / $gc_divisor
   *
   *                     So if $gc_probability is 1 and $gc_divisor is 100
means that there is
   *                     a 1% chance the the gc routine will be called on
each request
   *
   *                     Default is specified in php.ini file
   *
   * @return void
   */
  function dbSession($gc_maxlifetime = "", $gc_probability = "", $gc_divisor =
"")
  {

    // if $gc_maxlifetime is specified and is an integer number
    if ($gc_maxlifetime != "" && is_integer($gc_maxlifetime)) {
    
      // set the new value
      @ini_set('session.gc_maxlifetime', $gc_maxlifetime);
      
    }

    // if $gc_probability is specified and is an integer number
    if ($gc_probability != "" && is_integer($gc_probability)) {

      // set the new value
      @ini_set('session.gc_probability', $gc_probability);

    }

    // if $gc_divisor is specified and is an integer number
    if ($gc_divisor != "" && is_integer($gc_divisor)) {

      // set the new value
      @ini_set('session.gc_divisor', $gc_divisor);

    }
    
    // get session lifetime
    $this->sessionLifetime = ini_get("session.gc_maxlifetime");
    
    // register the new handler
    session_set_save_handler(
      array(&$this, 'open'),
      array(&$this, 'close'),
      array(&$this, 'read'),
      array(&$this, 'write'),
      array(&$this, 'destroy'),
      array(&$this, 'gc')
    );
    register_shutdown_function('session_write_close');
    
    // start the session
    session_start();
    
  }
  
  /**
   * Deletes all data related to the session
   *
   * @return void
   */     
  function stop()
  {
    $this->regenerate_id();
    session_unset();
    session_destroy();
  }
  
  /**
   * Regenerates the session id.
   *
   * <b>Call this method whenever you do a privilege change!</b>
   *
   * @return void
   */
  function regenerate_id()
  {

    // saves the old session's id
    $oldSessionID = session_id();
    
    // regenerates the id
    // this function will create a new session, with a new id and containing the data from the
old session
    // but will not delete the old session
    session_regenerate_id();
    
    // because the session_regenerate_id() function does not delete the old session,
    // we have to delete it manually
    $this->destroy($oldSessionID);
    
  }
  
  /**
   * Get the number of online users
   *
   * This is not 100% accurate. It depends on how often the garbage collector is run
   *
   * @return integer   approximate number of users currently online
   */
  function get_users_online()
  {

    // counts the rows from the database
    $result = @mysql_fetch_assoc(@mysql_query("
      SELECT
        COUNT(session_id) as count
      FROM session_data
    "));
    
    // return the number of found rows
    return $result["count"];
    
  }
  
  /**
   * Custom open() function
   *
   * @access private
   */
  function open($save_path, $session_name)
  {
  
    return true;
    
  }
  
  /**
   * Custom close() function
   *
   * @access private
   */
  function close()
  {
    return true;
  }
  
  /**
   * Custom read() function
   *
   * @access private
   */
  function read($session_id)
  {

    // reads session data associated with the session id
    // but only if the HTTP_USER_AGENT is the same as the one who had previously written to this
session
    // and if session has not expired
    $result = @mysql_query("
      SELECT
        session_data
      FROM
        session_data
      WHERE
        session_id = '".$session_id."' AND
        http_user_agent = '".$_SERVER["HTTP_USER_AGENT"]."' AND
        session_expire > '".time()."'
    ");
    
    // if anything was found
    if (is_resource($result) && @mysql_num_rows($result) > 0) {

      // return found data
      $fields = @mysql_fetch_assoc($result);
      // don't bother with the unserialization - PHP handles this automatically
      return $fields["session_data"];
      
    }
    
    // if there was an error return an empty string - this HAS to be an empty string
    return "";
    
  }
  
  /**
   * Custom write() function
   *
   * @access private
   */
  function write($session_id, $session_data)
  {
  
    // first checks if there is a session with this id
    $result = @mysql_query("
      SELECT
        *
      FROM
        session_data
      WHERE
        session_id = '".$session_id."'
    ");
    
    // if there is
    if (@mysql_num_rows($result) > 0) {

      // update the existing session's data
      // and set new expiry time
      $result = @mysql_query("
        UPDATE
          session_data
        SET
          session_data = '".$session_data."',
          session_expire = '".(time() + $this->sessionLifetime)."'
        WHERE
          session_id = '".$session_id."'
      ");
      
      // if anything happened
      if (@mysql_affected_rows()) {
      
        // return true
        return true;
        
      }

    // if this session id is not in the database
    } else {

      // insert a new record
      $result = @mysql_query("
        INSERT INTO
          session_data
            (
              session_id,
              http_user_agent,
              session_data,
              session_expire
            )
          VALUES
            (
              '".$session_id."',
              '".$_SERVER["HTTP_USER_AGENT"]."',
              '".$session_data."',
              '".(time() + $this->sessionLifetime)."'
            )
      ");
      
      // if anything happened
      if (@mysql_affected_rows()) {
      
        // return an empty string
        return "";
        
      }
      
    }
    
    // if something went wrong, return false
    return false;
    
  }
  
  /**
   * Custom destroy() function
   *
   * @access private
   */
  function destroy($session_id)
  {

    // deletes the current session id from the database
    $result = @mysql_query("
      DELETE FROM
        session_data
      WHERE
        session_id = '".$session_id."'
    ");
    
    // if anything happened
    if (@mysql_affected_rows()) {
    
      // return true
      return true;
      
    }

    // if something went wrong, return false
    return false;
    
  }
  
  /**
   * Custom gc() function (garbage collector)
   *
   * @access private
   */
  function gc($maxlifetime)
  {
  
    // it deletes expired sessions from database
    $result = @mysql_query("
      DELETE FROM
        session_data
      WHERE
        session_expire < '".(time() - $maxlifetime)."'
    ");
    
  }
  
}
?>
  1. <?php
  3. /**
  4. * A class to handle sessions by using a mySQL database for session related data storage providing
  5. better
  6. * security then the default session handler used by PHP.
  7. *
  8. * To prevent session hijacking, don't forget to use the {@link regenerate_id} method whenever you
  9. do a
  10. * privilege change in your application
  11. *
  12. * <i>Before usage, make sure you use the session_data.sql file from the
  13. <b>install</b> folder to set up the table
  14. * used by the class</i>
  15. *
  16. * After instantiating the class, use sessions as you would normally
  17. *
  18. * This class is an adaptation of John Herren's code from the "Trick out your session
  19. handler" article
  20. * ({@link http://devzone.zend.com/node/view/id/141}) and Chris Shiflett's code from Chapter 8,
  21. Shared Hosting - Pg 78-80,
  22. * of his book - "Essential PHP Security" ({@link http://phpsecurity.org/code/ch08-2})
  23. *
  24. * <i>Note that the class assumes that there is an active connection to a mySQL database and
  25. it does not attempt to create
  26. * one. This is due to the fact that, usually, there is a config file that holds the database
  27. connection related
  28. * information and another class, or function that handles database connection. If this is not how
  29. you do it, you can
  30. * easily adapt the code by putting the database connection related code in the "open"
  31. method of the class.</i>
  32. *
  33. * This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 2.5
  34. License.
  35. * To view a copy of this license, visit {@link http://creativecommons.org/licenses/by-nc-nd/2.5/}
  36. or send a letter to
  37. * Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
  38. *
  39. * For more resources visit {@link http://stefangabos.blogspot.com}
  40. *
  41. * @author   Stefan Gabos <ix@nivelzero.ro>
  42. * @version  1.0.1 (last revision: August 11, 2006)
  43. * @copyright (c) 2006 Stefan Gabos
  44. * @package  dbSession
  45. */
  47. error_reporting(E_ALL);
  49. class dbSession
  50. {
  52.   /**
  53.    * Constructor of class
  54.    *
  55.    * Initializes the class and starts a new session
  56.    *
  57.    * There is no need to call start_session() after instantiating this class
  58.    *
  59.    * @param integer   $gc_maxlifetime   the number of seconds after which data will be seen
  60. as 'garbage' and
  61.    *                     cleaned up on the next run of the gc (garbage
  62. collection) routine
  63.    *
  64.    *                     Default is specified in php.ini file
  65.    *
  66.    * @param integer   $gc_probability   used in conjunction with gc_divisor, is used to
  67. manage probability that
  68.    *                     the gc routine is started. the probability is
  69. expressed by the formula
  70.    *
  71.    *                     probability = $gc_probability / $gc_divisor
  72.    *
  73.    *                     So if $gc_probability is 1 and $gc_divisor is 100
  74. means that there is
  75.    *                     a 1% chance the the gc routine will be called on
  76. each request
  77.    *
  78.    *                     Default is specified in php.ini file
  79.    *
  80.    * @param integer   $gc_divisor     used in conjunction with gc_probability, is used to
  81. manage probability
  82.    *                     that the gc routine is started. the probability is
  83. expressed by the formula
  84.    *
  85.    *                     probability = $gc_probability / $gc_divisor
  86.    *
  87.    *                     So if $gc_probability is 1 and $gc_divisor is 100
  88. means that there is
  89.    *                     a 1% chance the the gc routine will be called on
  90. each request
  91.    *
  92.    *                     Default is specified in php.ini file
  93.    *
  94.    * @return void
  95.    */
  96.   function dbSession($gc_maxlifetime = "", $gc_probability = "", $gc_divisor =
  97. "")
  98.   {
  100.     // if $gc_maxlifetime is specified and is an integer number
  101.     if ($gc_maxlifetime != "" && is_integer($gc_maxlifetime)) {
  102.     
  103.       // set the new value
  104.       @ini_set('session.gc_maxlifetime', $gc_maxlifetime);
  105.       
  106.     }
  108.     // if $gc_probability is specified and is an integer number
  109.     if ($gc_probability != "" && is_integer($gc_probability)) {
  111.       // set the new value
  112.       @ini_set('session.gc_probability', $gc_probability);
  114.     }
  116.     // if $gc_divisor is specified and is an integer number
  117.     if ($gc_divisor != "" && is_integer($gc_divisor)) {
  119.       // set the new value
  120.       @ini_set('session.gc_divisor', $gc_divisor);
  122.     }
  123.     
  124.     // get session lifetime
  125.     $this->sessionLifetime = ini_get("session.gc_maxlifetime");
  126.     
  127.     // register the new handler
  128.     session_set_save_handler(
  129.       array(&$this, 'open'),
  130.       array(&$this, 'close'),
  131.       array(&$this, 'read'),
  132.       array(&$this, 'write'),
  133.       array(&$this, 'destroy'),
  134.       array(&$this, 'gc')
  135.     );
  136.     register_shutdown_function('session_write_close');
  137.     
  138.     // start the session
  139.     session_start();
  140.     
  141.   }
  142.   
  143.   /**
  144.    * Deletes all data related to the session
  145.    *
  146.    * @return void
  147.    */     
  148.   function stop()
  149.   {
  150.     $this->regenerate_id();
  151.     session_unset();
  152.     session_destroy();
  153.   }
  154.   
  155.   /**
  156.    * Regenerates the session id.
  157.    *
  158.    * <b>Call this method whenever you do a privilege change!</b>
  159.    *
  160.    * @return void
  161.    */
  162.   function regenerate_id()
  163.   {
  165.     // saves the old session's id
  166.     $oldSessionID = session_id();
  167.     
  168.     // regenerates the id
  169.     // this function will create a new session, with a new id and containing the data from the
  170. old session
  171.     // but will not delete the old session
  172.     session_regenerate_id();
  173.     
  174.     // because the session_regenerate_id() function does not delete the old session,
  175.     // we have to delete it manually
  176.     $this->destroy($oldSessionID);
  177.     
  178.   }
  179.   
  180.   /**
  181.    * Get the number of online users
  182.    *
  183.    * This is not 100% accurate. It depends on how often the garbage collector is run
  184.    *
  185.    * @return integer   approximate number of users currently online
  186.    */
  187.   function get_users_online()
  188.   {
  190.     // counts the rows from the database
  191.     $result = @mysql_fetch_assoc(@mysql_query("
  192.       SELECT
  193.         COUNT(session_id) as count
  194.       FROM session_data
  195.     "));
  196.     
  197.     // return the number of found rows
  198.     return $result["count"];
  199.     
  200.   }
  201.   
  202.   /**
  203.    * Custom open() function
  204.    *
  205.    * @access private
  206.    */
  207.   function open($save_path, $session_name)
  208.   {
  209.   
  210.     return true;
  211.     
  212.   }
  213.   
  214.   /**
  215.    * Custom close() function
  216.    *
  217.    * @access private
  218.    */
  219.   function close()
  220.   {
  221.     return true;
  222.   }
  223.   
  224.   /**
  225.    * Custom read() function
  226.    *
  227.    * @access private
  228.    */
  229.   function read($session_id)
  230.   {
  232.     // reads session data associated with the session id
  233.     // but only if the HTTP_USER_AGENT is the same as the one who had previously written to this
  234. session
  235.     // and if session has not expired
  236.     $result = @mysql_query("
  237.       SELECT
  238.         session_data
  239.       FROM
  240.         session_data
  241.       WHERE
  242.         session_id = '".$session_id."' AND
  243.         http_user_agent = '".$_SERVER["HTTP_USER_AGENT"]."' AND
  244.         session_expire > '".time()."'
  245.     ");
  246.     
  247.     // if anything was found
  248.     if (is_resource($result) && @mysql_num_rows($result) > 0) {
  250.       // return found data
  251.       $fields = @mysql_fetch_assoc($result);
  252.       // don't bother with the unserialization - PHP handles this automatically
  253.       return $fields["session_data"];
  254.       
  255.     }
  256.     
  257.     // if there was an error return an empty string - this HAS to be an empty string
  258.     return "";
  259.     
  260.   }
  261.   
  262.   /**
  263.    * Custom write() function
  264.    *
  265.    * @access private
  266.    */
  267.   function write($session_id, $session_data)
  268.   {
  269.   
  270.     // first checks if there is a session with this id
  271.     $result = @mysql_query("
  272.       SELECT
  273.         *
  274.       FROM
  275.         session_data
  276.       WHERE
  277.         session_id = '".$session_id."'
  278.     ");
  279.     
  280.     // if there is
  281.     if (@mysql_num_rows($result) > 0) {
  283.       // update the existing session's data
  284.       // and set new expiry time
  285.       $result = @mysql_query("
  286.         UPDATE
  287.           session_data
  288.         SET
  289.           session_data = '".$session_data."',
  290.           session_expire = '".(time() + $this->sessionLifetime)."'
  291.         WHERE
  292.           session_id = '".$session_id."'
  293.       ");
  294.       
  295.       // if anything happened
  296.       if (@mysql_affected_rows()) {
  297.       
  298.         // return true
  299.         return true;
  300.         
  301.       }
  303.     // if this session id is not in the database
  304.     } else {
  306.       // insert a new record
  307.       $result = @mysql_query("
  308.         INSERT INTO
  309.           session_data
  310.             (
  311.               session_id,
  312.               http_user_agent,
  313.               session_data,
  314.               session_expire
  315.             )
  316.           VALUES
  317.             (
  318.               '".$session_id."',
  319.               '".$_SERVER["HTTP_USER_AGENT"]."',
  320.               '".$session_data."',
  321.               '".(time() + $this->sessionLifetime)."'
  322.             )
  323.       ");
  324.       
  325.       // if anything happened
  326.       if (@mysql_affected_rows()) {
  327.       
  328.         // return an empty string
  329.         return "";
  330.         
  331.       }
  332.       
  333.     }
  334.     
  335.     // if something went wrong, return false
  336.     return false;
  337.     
  338.   }
  339.   
  340.   /**
  341.    * Custom destroy() function
  342.    *
  343.    * @access private
  344.    */
  345.   function destroy($session_id)
  346.   {
  348.     // deletes the current session id from the database
  349.     $result = @mysql_query("
  350.       DELETE FROM
  351.         session_data
  352.       WHERE
  353.         session_id = '".$session_id."'
  354.     ");
  355.     
  356.     // if anything happened
  357.     if (@mysql_affected_rows()) {
  358.     
  359.       // return true
  360.       return true;
  361.       
  362.     }
  364.     // if something went wrong, return false
  365.     return false;
  366.     
  367.   }
  368.   
  369.   /**
  370.    * Custom gc() function (garbage collector)
  371.    *
  372.    * @access private
  373.    */
  374.   function gc($maxlifetime)
  375.   {
  376.   
  377.     // it deletes expired sessions from database
  378.     $result = @mysql_query("
  379.       DELETE FROM
  380.         session_data
  381.       WHERE
  382.         session_expire < '".(time() - $maxlifetime)."'
  383.     ");
  384.     
  385.   }
  386.   
  387. }
  388. ?>
I'd love to change the world, but they won't give me the source code.

Page 1 of 1

Post Information

  • Total Posts in this topic: 2 posts
  • Users browsing this forum: No registered users and 126 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 2011 Unmelted, LLC. Ozzu® is a registered trademark of Unmelted, LLC.