Today I would like to show you how to implement and use a class that allows you to store session data within an arbitrary database instead of storing the data in files. At the end of this tutorial I will show you how to use this class in practice.
Session management
If we are talking about a session, we always talk about an established connection between a client and a host. Because users could not be unequivocally identified within the world wide web, since it is based on stateless protocols such as http, it is necessary to implement such an identification within the application layer (OSI model). PHP uses therfore the so called session id, which is transfered from the client to the server. This id allows the unambiguous allocation of fragmented session data to one user.
Session data are stored at the server side and are deleted automatically after a fixed delay!
Typical examples for sessions are systems, which handle information that have to remain state between otherwise stateless transactions between different web pages. Typical applications which require this behavior are forums or online shops.
Let’s stay with the example of an online shop. Every online shop offers a cart in which the products are placed in, that should be ordered. This articles and the number of products, that the customer will ultimately source, have to remain state between different web page calls and have to be unambiguous allocated to the correct user.
Some of you may have noticed that in many web shops a user does not have to be authenticated to use the cart, which means that a session could also be established without prior authentication. This also allows us to track the user’s movements when he visits our web page.
Sessions and PHP
I am sure that most of you already dealt with sessions, but I would like to mention, that there are a few things you should be aware of. The PHP manual points to the fact, that if session.auto_start is activated in the php.ini, objects could just be handled within a session if the class definition is loaded using auto_prepend_file or the object is serialized. In this context it must be remembered that some data types cannot be serialized. These include resource variables or objects with ring references. Furthermore it should be noted that, if a session was started using session_start(), the corresponding dataset is only then created when the variable was registered using session_register().
Storing session data within a database
To store session data within a database, we will implement a short class. This class will overwrite the default behaviour of the PHP filesystem based session functions. To do this we could use the function session_set_save_handler(). The PHP manual already offers a great example on how to use this function, but it does not show how to use it to access class methods instead of functions.
It should be noted that the use of session_set_save_handler() enables us to change the default behavior of the PHP session functions, which enables us to store the session data wherever we want without changing the code that actually manages the session. The only thing you have to do is to instantiate the session class before starting the session.
Storing the session data within a database offers several advantages. First of all you could access the session data within a multiuser system directly, which enables you to setup a list of users currently logged in. Furthermore I believe that this way of handling session data is more secure than the filesystem based variant, because it is much harder to access the data, if you could not just open it with an editor. However there may be cases in which it is more comfortable or reasonable to store the data in files. To be flexible in planning it makes sense to implement a simple interface that could be used to implement more types of storing session data. Such a interface shall be as follows:
You are now able to implement different session handlers based on this interface. This allows you to easily switch between a filesystem and a mysql based session management. If you check out the interface you could see that there are six methods you have to implement, which will allow you to open, read, write, delete and close the underlaying data structure in order to manage the session data. In order to use these methods to store the session data within a database, you have to pass a database object (in this case a PHP Data Object PDO) to the class. Furthermore you have to tell the system to use your implementation instead of the standard one. As already mentioned this could be achieved using the function session_set_save_handler(), which will map the calls to the standard session functions to your own ones. In order to work with this implementation you also have to setup a new session within the constructor using session_start(). Finally you have to ensure that all data of a session is saved. Therefore you have to register a callback function, which should be invoked if the session terminates, using register_shutdown_function(). This allows us to call a method of our session handler class that saves all data of the current session. To implement all the other methods of the class you just need basic sql knowledge, thus I will not cover them here. However the methods are well documented and there are more hints at the manual page of session_set_save_handler(), so it should be very easy to understand the following code.
A practical example
Now as we finished the implementation of the session handler class, we could take a short look on how to use this implementation in our projects. Let’s assume that we would like to implement a administration and user login, which should be part of a community page. We instantiate the session handler, assign the “entered” user data and could then access them using the superglobal $_SESSION array. If you now take a look into the MySQL session table, you will recognize that it is now pretty easy to access this data to dump all online members.
This code demonstrates that if you create a new instance of the MySqlSession class, you are able to use the well known default session operations and functions without making any other changes to your code. This way it is very very easy to switch between different types of session management.
I hope you enjoyed this short tutorial and could use it within your own projects. In the next few days I will translate more of my tutorials published at der-webdesigner.net, so I can share them with you.
So stay tuned and until next time - happy coding!
Phidelux is a Computer Science MSc. interested in hardware hacking, embedded Linux, compilers, etc.