How to save session data in a database, not in a file system?

Question

How to save session data in a database, not in a file system?

I have two websites: One is TLS and the other is not, both for the same client, but I need sites to share with each other (and only with each other) common data for users, orders, accounts and etc.

This is usually done with $_SESSION data, but I obviously cannot work on other sites, and I found that I can store session data in a database (MySQL), and not in the file system.

I dug up and found This is a useful guide , as well as this old but useful guide . I also found this guide that has slightly more modern MySQL.

I wrote an interface class, but it only partially works, it stores session data in the database, but does not retrieve it. I also used the suggested method from the PHP manual .

My MySQL (as copied from the first pair of links above):

 CREATE TABLE `sessions` ( `id` varchar(32) COLLATE utf8_unicode_ci NOT NULL, `access` int(10) NOT NULL, `data` text COLLATE utf8_unicode_ci NOT NULL, UNIQUE KEY `id` (`id`) ) ENGINE=InnoDb DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

Please note: Before I show you my interface class, please know that Db connetion uses my own user interface and works fine on its own.
$sessionDBconnectionUrl contains information about connecting to the session database, since I do sessions in a separate database from the main content of the website.

My interface class (as based on all of the above links)

 <?php /*** * Created by PhpStorm. ***/ class HafSessionHandler implements SessionHandler { private $database = null; public function __construct($sessionDBconnectionUrl){ if(!empty($sessionDBconnectionUrl) && file_exists($_SERVER['DOCUMENT_ROOT'].$sessionDBconnectionUrl)) { require_once "class.dataBase.php"; // Instantiate new Database object $this->database = new Database($sessionDBconnectionUrl); } else { error_log("Session could not initialise class."); } } /** * Open */ public function open($savepath, $id){ $openRow = $this->database->getSelect("SELECT `data` FROM sessions WHERE id = ? LIMIT 1",$id); if($this->database->selectRowsFoundCounter() == 1){ // Return True return $openRow['data']; } else { // Return False return ' '; } /** * Read */ public function read($id) { // Set query $readRow = $this->database->getSelect('SELECT `data` FROM sessions WHERE id = ? LIMIT 1', $id,TRUE); if ($this->database->selectRowsFoundCounter() > 0) { return $readRow['data']; } else { error_log("could not read session id ".$id); return ''; } } /** * Write */ public function write($id, $data) { $access = time(); // Set query $dataReplace[0] = $id; $dataReplace[1] = $access; $dataReplace[2] = $data; if ($this->database->noReturnQuery('REPLACE INTO sessions(id,access,`data`) VALUES (?, ?, ?)', $dataReplace)) { return TRUE; } else { return FALSE; } } /** * Destroy */ public function destroy($id) { // Set query if ($this->database->noReturnQuery('DELETE * FROM sessions WHERE id = ? ', $id)) { return TRUE; } else { return FALSE; } } /** * Close */ public function close(){ // Close the database connection // If successful if($this->database->dbiLink->close){ // Return True return true; } // Return False return false; } /** * Garbage Collection */ public function gc($max) { // Calculate what is to be deemed old $old = time() - $max; // Set query if ($this->database->noReturnQuery('DELETE * FROM sessions WHERE access < ?', $old)) { return TRUE; } else { return FALSE; } } public function __destruct() { $this->close(); } }

My test page (written from scratch!)

 <?php require "class.sessionHandler.inc.php"; $HSH = new HafSessionHandler("connection.session.dbxlink.php"); session_set_save_handler( $HSH, TRUE ); session_start(); print "<p>Hello this is an index page</p>"; $_SESSION['horses'] = "treesx3"; $_SESSION['tiespan'] = (int)$_SESSION['tiespan']+7; print "<p>There should be some session data in the database now. <a href='index3.php'>link</a></p>"; var_dump($_SESSION); exit;

Problem:

The executed test pages store the data in the database in order, but they don't seem to retrieve the data,

I have error logging enabled and no PHP errors are reported. No critical MySQL errors have been reported.

Why doesn't it work?

+5

database php mysql session

Martin Apr 20 '16 at 19:35

source share

1 answer

Martin · Accepted Answer · 2016-04-20T19:35:56+0000

Over the course of several hours of debugging, I found that links to articles found on numerous Google search engines, as well as a significant subset of Stack Overflow answers, for example, here and here provide invalid or outdated information.

Things that can cause [critical] problems with saving session data to the database:

Although you can “fill out” session_set_save_handler in all the examples online, none of them state that you should also set register_shutdown_function('session_write_close') ( link ).
Several (older) manuals relate to the obsolete SQL database structure and should not be used. The database structure that is needed to store session data in the database is id / access / data . It. there is no need for additional timestamp columns, as I saw in several “manuals” and examples.
- Some of the old manuals also have legacy MySQL syntax, for example DELETE * FROM ...
The class [made in my question] should implement SessionHandlerInterface . I saw manuals (see above) that provide an implementation of sessionHandler , which is not a suitable interface. Perhaps previous versions of PHP had a slightly different method (probably <5.4).
Session class methods must return the values specified in the PHP manual. Again, probably inherited from pre-5.4 PHP, but the two manuals that I read claimed that class->open returns the string to be read, whereas the PHP user manual that it needs to return is only true or false .

This is the reason for my original question . I used custom session names (actually id, because the session names and the session identifier are the same!) According to fooobar.com/questions/237577 / ... and this created a 128-character session name. Since the session name is the only key that needs to be cracked in order to compromise the session and take control

This means that to start a session on your output page, all you need is:

 <?php require "path/to/sessionhandler.class.php"; new MySessionHandler(); //Bang session has been setup and started and works

For reference, the full session association class is as follows, this works with PHP 5.6 (and probably 7, but not yet verified to 7)

 <?php /*** * Created by PhpStorm. ***/ class MySessionHandler implements SessionHandlerInterface { private $database = null; public function __construct($sessionDBconnectionUrl){ /*** * Just setting up my own database connection. Use yours as you need. ***/ require_once "class.database.include.php"; $this->database = new DatabaseObject($sessionDBconnectionUrl); // Set handler to overide SESSION session_set_save_handler( array($this, "open"), array($this, "close"), array($this, "read"), array($this, "write"), array($this, "destroy"), array($this, "gc") ); register_shutdown_function('session_write_close'); session_start(); } /** * Open */ public function open($savepath, $id){ // If successful $this->database->getSelect("SELECT `data` FROM sessions WHERE id = ? LIMIT 1",$id,TRUE); if($this->database->selectRowsFoundCounter() == 1){ // Return True return true; } // Return False return false; } /** * Read */ public function read($id) { // Set query $readRow = $this->database->getSelect('SELECT `data` FROM sessions WHERE id = ? LIMIT 1', $id,TRUE); if ($this->database->selectRowsFoundCounter() > 0) { return $readRow['data']; } else { return ''; } } /** * Write */ public function write($id, $data) { // Create time stamp $access = time(); // Set query $dataReplace[0] = $id; $dataReplace[1] = $access; $dataReplace[2] = $data; if ($this->database->noReturnQuery('REPLACE INTO sessions(id,access,`data`) VALUES (?, ?, ?)', $dataReplace)) { return true; } else { return false; } } /** * Destroy */ public function destroy($id) { // Set query if ($this->database->noReturnQuery('DELETE FROM sessions WHERE id = ? LIMIT 1', $id)) { return true; } else { return false; } } /** * Close */ public function close(){ // Close the database connection if($this->database->dbiLink->close){ // Return True return true; } // Return False return false; } /** * Garbage Collection */ public function gc($max) { // Calculate what is to be deemed old $old = time() - $max; if ($this->database->noReturnQuery('DELETE FROM sessions WHERE access < ?', $old)) { return true; } else { return false; } } public function __destruct() { $this->close(); } }

Usage: as shown above above the class code text.

How to save session data in a database, not in a file system?

More articles: