10 replies to this topic

[Hamed]

Is it possible that store sessions or cookies in database? and check my users login or logout by that?

[dbug]

Cookies are client side information sent on every request to the server. I don't think it makes sense to store them into a database.

There is a way to store session data into a database using the PHP function session_set_save_handler. By default PHP stores session data on disk. If you call this function you can overwrite this default method and use your own functions to read/write session data, so that you can store it into a database.

You could also write your own session management functions to use a database. In the previous link there is an example of how doing this.

Edited by dbug, 20 September 2010 - 01:22 AM.
added some information

[Alexander]

Hamed[ said:

and check my users login or logout by that?

If you are looking for a way to keep the user authenticated, then cookies will expire automatically to the predefined expiry date. Generally one would keep the user logged in until the login cookie expires, then the user will be forced to log in again.

If you mean storing login data into a cookie to log them in, then that is not a secure method and should not be done.

@dbug, there are inherit dangers to doing that, you should use serialize() on session ($_SESSION) data only.

[dbug]

I don't see the problems with session_set_save_handler. The string passed to you in the write method is an encoded version (similar to serialization) of $_SESSION array. Maybe a call to some escaping function is needed to avoid problems with malicious strings if they can come from the user, but I don't see any other problem here. Am I missing something ?

[dbug]

I've just made some tests and I've seen that assigning an object to a session variable generates a string which contains null characters in the parameter passed to the write method. This could be problematic inside an SQL statement. Is this the problem you were talking about ?

[Hamed]

I want to code sth like online people and I think the best way to find who is online is storing login data into database.
And also I want to keep previous link and viewing page then I need to store data into database.
I see some script have sid (Session ID) which displayed in url and they store user data on that.

[FireGator]

You want to see how many unauthenticated users are online, that are registered with the session? You can get the session ID thorugh session_id() and store it in the database with the current time, so you can delete old entries at the same time that are beyond say, two hours (3600*2 seconds).

nullworm was right about session handler being insecure, best you just store the SID.

[Hamed]

And also I want to save my users data?
Can I use both session and cookie for login?

FireGator said:

You want to see how many unauthenticated users are online, that are registered with the session? You can get the session ID thorugh session_id() and store it in the database with the current time, so you can delete old entries at the same time that are beyond say, two hours (3600*2 seconds).

nullworm was right about session handler being insecure, best you just store the SID.

[dbug]

To do that I wouldn't store session data on a database. Simply you could use standard sessions to track active sessions and know if the user is authenticated or not, and, if all is ok, update some database tables to store the information you want. For example each time the users asks a page, you verify if he is logged in and has the appropiate rights using standard session management and some database queries. If so, then you update a table in the database to store the last asked page for that user.

Also, you can update a table every time a user is logged in, so you can keep a list of currently active users.

You can do all this without changing the default session management method.

[Hamed]

Do we have any tutorial for online users?
I can not find one?

[Hamed]

Look at this class : PHP: session_set_save_handler - Manual

can anyone explain how to delete expired session.