Search the Community

Hi Larry, Just FYI I modified the db_sessions code (pp 82..) for PDO - after a few pitfalls it works beautifully. Thanks for the base code to work with. Cheers, Necuima.

Hi Larry, I have encountered a really weird problem (well weird to me) re the server not being able to write a session cookie reliably but it always gets set first go in localhost. I had to include a do-while loop in the production version until the session data were available but I don't know how many times the loop gets executed before the session cookie gets set. Can you offer any guidance on how to debug this? Am using IE11 and Firefox 62.0 Thanks as always, Necuima

Hi Larry, On page 90 you define the clean_session function but I can't figure out how to invoke it. I tried 'session_clean(seconds)' to no avail. Can you please guide me. Thanks, Necuima.

I was hoping that someone might be able to provide a few lines of code that would automatically log the user out after 20 or 30 minutes of inactivity. Maybe the code could be placed in the config.inc.php file so that it gets run frequently? (Note: I am using the "First Site" as created in chapters 1-6 of Larry's book.) Thanks!

In Chapter 19, the $_SESSION['customer_id'] variable is often used for things like isset($_SESSION['customer_id']) why though can't we use other table columns that are like customer_id in the $_SESSION[] for example $_SESSION['order_id'] In chapter 19 also, the $_GET['id'] is the same id as the customer's. Why is it the same? Where does it get declared as the same, I have searched through the scripts and I don't see it. I am trying to create a script where users can view their past orders. The trouble I am having is calculating the total amount of the order in the checkout.php script, because there is no customer_id field in the order_contents table. Here is where I am at with that in the checkout.php script: $u = "SELECT price * quantity AS amount FROM order_contents WHERE order_id=?not sure what to put here"; $total = mysqli_query($dbc, $u);

Hello, Just read through sessions in Ch3. There is one thing I did not get. How do I obtain the session_id(). It seems to be always empty. I even tried to set it in the read_session() but still no effect. Is this the expected behavior or am I missing anything? Cheers

Hi Larry, and all other experts, I am following your guide on setting up yii for my site, and I am at the stage where I want to design all the database tables before I run Gii for the CRUD/model/view/controllers setups, now I wanted to save the session data onto a database table and have as little possible info in cookies (i'd rather not use cookies unless the user specifically wants to, or i may need to to validate whether the user is using the same machine). anyway, i got the session thing to work with the mysql db and it created the table fine... now i want to try to modify the table structure and create more fields in this table to save for instance, ip, referrer, isp, http headers, screen resolution, os, browser, etc, if i pre make these fields and call functions to read this data upon user visits, can i keep the session in the db for even if it is expired, (and then i hope to copy expired session to gather some metrics, or even for legal purposes, who was on when and where they came from (in case of criminal activity, I assume the authorities may request social networking sites to gather such statistics because it is a requirement that such sites have a report button)). so if i sort this session table out i can then run gii, would gii include this session table too? any tips or advice? thanks a million Larry (or others), your book has probably sold more than u think already, Yii is so nice to use, thanks to you, Kind Regards, Deian

SOLVED for solution see the last part of my first post _______________________________________________________________________ hi , i read chapter 3 and try to pass session_set_save_handler with an object, here's the code for my session handler class: <?php class MySessionHandler implements SessionHandlerInterface { protected $conn = NULL; public function open($savePath, $sessionName) { if(is_null($this->conn)) { $dsn = 'mysql:host=localhost;dbname=php_advanced'; $username = 'root'; $password = 'password'; try { $this->conn = new PDO($dsn, $username, $password); $this->conn->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION); } catch(PDOException $e) { $this->conn = NULL; die('error in open function ' . $e->getMessage()); } } return TRUE; } public function close() { echo '<p>close</p>'; $this->conn = NULL; return TRUE; } public function read($id) { echo '<p>read</p>'; $query = 'SELECT data FROM session_table WHERE session_id = :id'; try { $pdo = $this->conn->prepare($query); $pdo->bindValue(':id', $id); $pdo->execute(); // Kalo query berhasil nemuin id.. if($pdo->rowCount() == 1) { list($sessionData) = $pdo->fetch(); return $sessionData; } return FALSE; } catch(PDOException $e) { $this->conn = NULL; die('error in read function => ' . $e->getMessage()); } } public function write($id, $data) { echo '<p>write</p>'; $query = 'REPLACE INTO session_table(session_id, data) VALUES(:id, :data)'; try { $pdo = $this->conn->prepare($query); $pdo->bindValue(':id', $id); $pdo->bindValue(':data', $data); $pdo->execute(); // return the value whether its success or not return (bool)$pdo->rowCount(); } catch(PDOException $e) { $this->conn = NULL; die('error in write function => ' . $e->getMessage()); } } public function destroy($id) { echo '<p>destroy</p>'; $query = 'DELETE FROM session_table WHERE session_id = :id LIMIT 1'; try { $pdo = $this->conn->prepare($query); $pdo->bindValue(':id', $id); $pdo->execute(); $_SESSION = array(); return (bool)$pdo->rowCount(); } catch(PDOException $e) { $this->conn = NULL; die('error in destroy function => ' . $e->getMessage()); } } public function gc($maxLifeTime) { echo '<p>garbage collection</p>'; $query = 'DELETE FROM session_table WHERE DATE_ADD(last_accessed INTERVAL :time SECOND) < NOW()'; try { $pdo = $this->conn->prepare($query); $pdo->bindValue(':time', $maxLifeTime); $pdo->execute(); return TRUE; } catch(PDOException $e) { $this->conn = NULL; die('error in gc function => ' . $e->getMessage()); } } } $SessionHandler = new MySessionHandler(); session_set_save_handler($SessionHandler); session_name('my_session'); session_start(); i remove the session_write_close on purpose. This probably sounds stupid, but i want to get the session error to learn more.. here's session script(using Larry's code): <?php require('session_class.php'); ?><!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>DB Session Test</title> <link rel="stylesheet" href="style.css"> </head> <body> <?php // Store some dummy data in the session, if no data is present: if (empty($_SESSION)) { $_SESSION['blah'] = 'umlaut'; $_SESSION['this'] = 3615684.45; $_SESSION['that'] = 'blue'; // Print a message indicating what's going on: echo '<p>Session data stored.</p>'; } else { // Print the already-stored data: echo '<p>Session Data Exists:<pre>' . print_r($_SESSION, 1) . '</pre></p>'; } // Log the user out, if applicable: if (isset($_GET['logout'])) { session_destroy(); echo '<p>Session destroyed.</p>'; } else { // Otherwise, print the "Log Out" link: echo '<a href="session_link.php?logout=true">Log Out</a>'; } // Reprint the session data: echo '<p>Session Data:<pre>' . print_r($_SESSION, 1) . '</pre></p>'; // Complete the page: echo '</body> </html>'; // Write and close the session: // session_write_close <<<<<--- I REMOVE THIS ON PURPOSE TO GET ERROR ?> but i dont get any error, then i try to use Larry's mysqli script to connect db and it produces error.. can anyone explain why if im using PDO it doesn't generate error? i'm even dont use register_shutdown_function('session_write_close'); in my session class destructor (on purpose) NOTE : I'm doing this on purpose because i want to learn more. the error im expecting is like when im using mysqli connection(connection closed by php at the end of script then session try to write and close but no connection available) : Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in /var/www/ullman_advance/ch3/ullman_db.php on line 66 Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given in /var/www/ullman_advance/ch3/ullman_db.php on line 66 Warning: mysqli_query() expects parameter 1 to be mysqli, null given in /var/www/ullman_advance/ch3/ullman_db.php on line 67 Warning: mysqli_close() expects parameter 1 to be mysqli, null given in /var/www/ullman_advance/ch3/ullman_db.php on line 33 UPDATE i just tried to pass session_set_save_handler with function callback(using pdo as connection) and it produces error i expected, but still if using MySessionHandler class it doesn't produce any error. The codes in the MySessionHandler class is similar with my new session handler functions. here's the script <?php $conn = NULL; function open_session() { echo '<p>open session</p>'; global $conn; $_dsn = 'mysql:host=localhost;dbname=php_advanced'; $_username = 'root'; $_password = 'monyetsahur'; $conn = new PDO($_dsn, $_username, $_password); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); return TRUE; } function close_session() { echo '<p>close session</p>'; global $conn; $conn = NULL; return TRUE; } function read_session($sid) { echo '<p>read session</p>'; global $conn; $query = 'SELECT data FROM session_table WHERE session_id = :sid'; $pdo = $conn->prepare($query); $pdo->bindValue(':sid', $sid, PDO::PARAM_STR); $pdo->execute(); if($pdo->rowCount() == 1) { list($session_data) = $pdo->fetch(); echo '<pre>'; print_r($session_data); echo '</pre>'; return $session_data; } else { return ''; } } function write_session($sid, $data) { echo '<p>write session</p>'; global $conn; $query = 'REPLACE INTO session_table(session_id, data) VALUES(:sid, :data)'; $pdo = $conn->prepare($query); $pdo->bindValue(':sid', $sid, PDO::PARAM_STR); $pdo->bindValue(':data', $data, PDO::PARAM_STR); $pdo->execute(); return (bool)$pdo->rowCount(); } function destroy_session($sid) { echo '<p>destroy session </p>'; global $conn; $query = 'DELETE FROM session_table WHERE session_id = :sid'; $pdo = $conn->prepare($query); $pdo->bindValue(':sid', $sid, PDO::PARAM_STR); $pdo->execute(); // clean the session array; $_SESSION = array(); return TRUE } function clean_session($expire) { echo '<p>clean session</p>'; global $conn; $query = 'DELETE FROM session_table WHERE DATE_ADD(last_accessed, INTERVAL :expire SECOND) < NOW()'; $pdo = $conn->prepare($query); $pdo->bindValue(':expire', $expire, PDO::PARAM_INT); $pdo->execute(); return $pdo->rowCount(); } session_set_save_handler('open_session', 'close_session', 'read_session', 'write_session', 'destroy_session', 'clean_session'); session_name('my_session'); session_start(); SOLVED: SOLVED sorry guys my mistake actually its a pretty easy answer why MySessionHandler class doesnt produce error wihtout session_write_close() in the end of script, session_set_save_handler() by default will register session_write_close() to register_shutdown_function() so if u want to make your own shutdown function for session then use : session_set_save_handler($SessionClass, FALSE) if u do this then u must provide session_write_close() in your class destructor source : http://php.net/manual/en/function.session-set-save-handler.php thanks for the tips and your attention

I am a little confused about session/cookies automatic interaction/behavior. You explained that it is preferable to store the email (users.email) in session and not the userID (users.userID) because the email is harder to forge than userID which is a number, hence leaving the site exposed to XSS attacks. However, for whatever operations the user may be allowed to do, like CRUD operations, you will need the id of the table for that specific action (let's say "posts" table, for example, we will need something like posts.postID) and the userID. To get users.userID from users.email we will have to make a SELECT query every time, as opposed of having the userID stored in the session, hence a query less every time. It seems to me that will be a lot more convenient to store the userID in the session. You said that it will not be a problem to have the userID stored in session as far as we do not have it stored in cookie. Here I am a little confused, because I do not understand how setting the userID in session become a cookie problem (as the argument against using the userID in session is predicted on leaking the value in the cookie and I do not understand why). I do not stored anything explicit in a cookie, will a cookie be always created when starting a session? What it will contain if no explicit value/parameters were given? If I stored the userID in the session, should I be preoccupied that it may leak in the cookie without knowing it? Is it a common behavior for the cookies to replicate sessions? Should I explicitly set a cookie every time to overwrite odd behavior or is it possible to let the cookie work automatically and do the job only from session? Shouldn't cookies and sessions be isolated and work separately? I am guessing all problems start with directives like the one you suggested on page 357. What is the effect of "ini_set ('session_use_only_cookies', 1)" when you store the userID in the session and no cookie was set explicitly? Why don't we simply use a salt and hash the value? Isn't more beneficial this approach considering that it should be safer and we end up having the userID stored, which is much more practical to use than users.email? You presented cookies as being safer from one point of view. However, sessions are stored on server, shouldn't be safer to use sessions? I see a reason why using cookies to store user settings (as selected language for the forum, for example), but I do not see any good reason to use cookies to store sensitive information as the userID. If the argument, as I understand it, is that whatever a cookie holds it can be forged easily because it is easy to guess numbers, I do not see why it is not a big problem this behavior in the first place or why does it feel safer as chances are the attacker can very easily know the email of the victim, hence being in the same situation as when using numbers. It looks more secure, but in my opinion it is a false sense of security. Emails can be as easily be guessed (or known in advance) as numbers, it is not such an important defensive mechanism. I guess my point is: never use cookies when safety is paramount... maybe I am wrong.