Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Function Reference : Session Handling Functions : session_set_save_handler

session_set_save_handler

Sets user-level session storage functions (PHP 4, PHP 5)
bool session_set_save_handler ( callback open, callback close, callback read, callback write, callback destroy, callback gc )

Example 2227. session_set_save_handler() example

The following example provides file based session storage similar to the PHP sessions default save handler files. This example could easily be extended to cover database storage using your favorite PHP supported database engine.

<?php
function open($save_path, $session_name)
{
 global
$sess_save_path;

 
$sess_save_path = $save_path;
 return(
true);
}

function
close()
{
 return(
true);
}

function
read($id)
{
 global
$sess_save_path;

 
$sess_file = "$sess_save_path/sess_$id";
 return (string) @
file_get_contents($sess_file);
}

function
write($id, $sess_data)
{
 global
$sess_save_path;

 
$sess_file = "$sess_save_path/sess_$id";
 if (
$fp = @fopen($sess_file, "w")) {
   
$return = fwrite($fp, $sess_data);
   
fclose($fp);
   return
$return;
 } else {
   return(
false);
 }

}

function
destroy($id)
{
 global
$sess_save_path;

 
$sess_file = "$sess_save_path/sess_$id";
 return(@
unlink($sess_file));
}

function
gc($maxlifetime)
{
 global
$sess_save_path;

 foreach (
glob("$sess_save_path/sess_*") as $filename) {
   if (
filemtime($filename) + $maxlifetime < time()) {
     @
unlink($filename);
   }
 }
 return
true;
}

session_set_save_handler("open", "close", "read", "write", "destroy", "gc");

session_start();

// proceed to use sessions normally

?>

Code Examples / Notes » session_set_save_handler

jpm

You may also use static class methods as the 'function names' for session_set_save_handler(), as in:
<?php
session_set_save_handler(
 array("SessionHandler", "open"),
 array("SessionHandler", "close"),
 array("SessionHandler", "read"),
 array("SessionHandler", "write"),
 array("SessionHandler", "destroy"),
 array("SessionHandler", "gc")
);
?>
Anyway, just a little note that this is also possible.


spam

You can't use the session autostart feature with
session.save_handler = user
set in your php.ini. Use instead the auto_prepend_file directive in the php.ini and point it to your save_handler with an session_start() at the end.


mjohnson

With regards to the read handler, the docs say:
 "Read function must return string value always to make save
 handler work as expected. Return empty string if there is no
 data to read."
I can't emphasize this enough. I just spent half a day trying to figure out why my sessions weren't storing any information. I was blithely returning the results of a query on the database from the read handler. Since there was no match for the new ID, the result was NULL. Since it wasn't a string, sessions were essentially disabled. So, the safe thing might be something like this:
<?php
function sessRead($id)
{
   // Look up data
   $results = getStuff($id);
   
   // Make sure it's a string
   settype($results, 'string');
   return $results;
}
?>
Of course, you can do whatever you want with it. But, no matter what, make sure you return a string.
HTH,
Michael


coco

When using mySQL for your session handling functions, don't forget to call mysql_select_db() to change the database if you are using a separate database for your session data. Call mysql_select_db() INSIDE every handler function that accesses the database, since if you write session data after accessing another database, it will not change the database to your session database, and therefore, not write the session data.

colin

When using a custom session handler, if the first callback function (sessOpen in my case) finds no session id, one is set by the time the second argument (sessRead in my case) is called.

kevin

When creating a session-handling class, I have discovered that it is important to remember that your session object and the $_SESSION global are TWO SEPARATE ENTITIES. You need to create a reference between your Session Object and the built-in $_SESSION global:
session_set_save_handler(
array(&$this, "_OPEN"),
array(&$this, "_CLOSE"),
array(&$this, "_READ"),
array(&$this, "_WRITE"),
array(&$this, "_DESTROY"),
array(&$this, "_GC")
);

session_start();
header("Cache-control: private"); // to overcome/fix a bug in IE 6.x

$this->session =& $_SESSION;
Additionally, when you add a $_SESSION variable, it's a good idea to add it as a Session Object variable at the same time, if you want your code to use the Session Object between page changes/reloads:
function setSessionVariable($key,$value) {
   $_SESSION[$key] = $value;
   $this->session[$key] = $value;
   return;
}


dolan

This is an LDAP implementation that I wrote which works just fine for me.  This assumes you've got some global variables with your host and other info.  It also uses a custom error function which I have not defined here.  Also, it assumes your LDAP server is set up with correct permissions, objectclass, and all that.  I used an octet string in LDAP to hold the session data.  I had to manually wrap some of this so be careful with cutting and pasting.
$sessconn=null;
//Custom session handling stored in local LDAP
function ldap_sess_open($save_path,$session_name) {
   global $infohost,$infoport,$infodn,$infopw,$sessconn;
   $sessconn=@ldap_connect($infohost,$infoport);
   if(!@ldap_bind($sessconn,$infodn,$infopw)) {
setError("Failed to open session.");
return false;
   }
   return true;
}
function ldap_sess_close() {
   global $sessconn;
   @ldap_close($sessconn);
   return true;
}
function ldap_sess_read($id) {
   global $sessconn;
   $sr=@ldap_search($sessconn,'ou=sessions,o=Company',
"(cn=$id)");
   $info=@ldap_get_entries($sessconn,$sr);
   if($info['count']>0)
return $info[0]['session'][0];
   else
return "";
}
function ldap_sess_write($id,$sess_data) {
   global $sessconn;
   $update=array();
   $update['objectClass']=array('phpsession','top');
   $update['session']=$sess_data;
   $dn="cn=$id,ou=sessions,o=Company";
   @ldap_delete($sessconn,$dn);
   @ldap_add($sessconn,$dn,$update);
   return true;
}
function ldap_sess_destroy($id) {
   global $sessconn;
   $dn="cn=$id,ou=sessions,o=Company";
   @ldap_delete($sessconn,$dn);
   return true;
}
function ldap_sess_gc($maxlifetime) {
   global $sessconn;
   $sr=@ldap_search($sessconn,'ou=sessions,o=Company',
'(objectClass=phpsession)',array('+','cn'));
   $info=@ldap_get_entries($sessconn,$sr);
   if($info['count']>0) {
for($i=0;$i<$info['count'];$i++) {
   $id=$info[$i]['cn'][0];
   $dn="cn=$id,ou=sessions,o=Company";
   $modified=stamp2local($info[$i]['modifytimestamp'][0]);
   if((time()-$modified)>=$maxlifetime)
@ldap_delete($sessconn,$dn);
}
   }
   return true;
}
//converts my LDAP timestamps over to Unix timestamps
function stamp2local($ldapstamp) {
   $year=substr($ldapstamp,0,4);
   $month=substr($ldapstamp,4,2);
   $day=substr($ldapstamp,6,2);
   $hour=substr($ldapstamp,8,2);
   $minute=substr($ldapstamp,10,2);
   $stamp=gmmktime($hour,$minute,0,$month,$day,$year);
   return $stamp;
}
//Use this so that if your LDAP server goes down people can still
//retain sessions the normal way
$checkds=@ldap_connect($infohost,$infoport);
if(@ldap_bind($checkds,$infodn,$infopw)) {
   session_set_save_handler("ldap_sess_open","ldap_sess_close",
"ldap_sess_read","ldap_sess_write","ldap_sess_destroy",
"ldap_sess_gc");
}
@ldap_close($checkds);


sroby

The Web app I work on stores sessions in a database using PEAR::DB, so when I migrated it to PHP 5 everything broke because the DB object was unallocated by the time the write/close handlers were called.
However, I've found that adding <?php register_shutdown_function("session_write_close"); ?> works fine as a workaround to the problem.


sneakyimp

the behavior, return values, and exact time of calling for these functions is pretty poorly documented here.  i thought folks might like to know that:
1) calling session_start() triggers PHP to first call your open function and then call your read function before resuming with the code immediately following your session_start() call.
2) calling session_id('some_value') within your open function WILL NOT SET THE SESSION COOKIE (at least not on my setup - PHP 4.4.1).  Assuming you defined some function to validate a session id called my_func(), you might want to do something like this in your open function:
[PHP]
<?php
 function _open($save_path, $session_name) {
   // check for session id
   $sess_id = session_id();
   if (empty($sess_id) || !myfunc($sess_id)) {
     //session_id is INVALID - generating new
     $new_id = md5(uniqid("some random seed here"));
     session_id($new_id);
     setcookie(session_name(),
                   $new_id,
                   0,
                   "/",
                   ".mydomain.com");
     }
   return true;
 } // _open()
?>
[/PHP]
PS:  CAN WE GET SOME REAL DOCUMENTATION FOR WHAT THESE FUNCTIONS ARE, WHAT THEY REQUIRE, WHEN THEY ARE CALLED, AND WHAT EXACTLY THEY ARE SUPPOSED TO DO?


djmaze@cpgnuke cms

Since register_shutdown_function() and __destruct() will not work on object based sessions, ESPECIALY when they are database based thru a class, then it seems you're screwed.
Issue:
register_shutdown_function('shutdown_function');
new sql();
new session();
on destruct:
sql __destruct()
session __destruct() // can't call sql since already destroyed
shutdown_function() // can't call instances since already destroyed
A trick is to use an "first class instance"
<?php
class my_proper_destructor
{
protected $destroyers = array();
function add($class_instance)
{
if (is_class($class_instance))
$destroyers[] = $class_instance;
}
function __destruct()
{
foreach($destroyers as $des)
$des->on_destroy();
}
}
$destruct = new my_proper_destructor();
// All your code starts here like:
class session
{
function __construct()
{
global $destruct;
$destruct->add($this);
}
}
?>
Since my_proper_destructor is created first it also gets destroyed as the first. That way you can still call important class instances that need to do something on destruct.


robert chapin

Session authentication is not meant to be part of the session handlers.
These handlers only read and write the session data itself, and will not allow you to call the vital function session_regenerate_id().
To add extra authentication routines, call them after session_start returns control.  DO NOT put them in your 'open' or 'read' handlers.
Enjoy,
-- Miqro


frank

REPLY TO >>>>> Keamos at gmail dot com [ 23-Oct-2005 10:34 ]
I would like to mention that there is a major flaw in your implementation:
I'll explain:
look at the 1st line:  
$sessionLifetime = get_cfg_var("session.gc_maxlifetime");
then look at the write function in short:
global $db, $sessionLifetime;
$expiry = time() + $sessionLifetime;
$sql = 'SELECT `expiry` FROM ' . SESSIONS_TABLE . " WHERE `sessionid`=$sessionid";
if(null === $sql)
{
         $sql = 'INSERT INTO ' . SESSIONS_TABLE . " (`sessionid`, `expiry`, `value`) VALUES ($sessionid, $expiry, $sessionData)";
}
else
{
        $sql = 'UPDATE `' . SESSIONS_TABLE . "` SET `expiry`=$expiry, `value`=$sessionData WHERE `sessionid`=$sessionid";
}
then look at the garbage function in short:
$sql = 'DELETE FROM ' . SESSIONS_TABLE . " WHERE expiry < $time";
if you look carefully you will see this in the write function:
$expiry = time() + $sessionLifetime;
and this in the garbage function:
'DELETE FROM ' . SESSIONS_TABLE . " WHERE expiry < $time";
to be short, your session will never be destroyed except when you explicitly call the destroy function!
have a nice 1...


scott p.

Reference to the ldap implementation above: I'd strongly suggest against using ldap to store sessions, as an ldap server is designed specifically to serve data that changes rarely (compared to a database). While an ldap server is quick to retreive data, it has a very slow update time. So using this to store constantly changing data will kill a moderately busy website in next to no time!

bachir

php doesn't make any checks about PHPSESSID cookie format, it is then important to verify cookie format before making any sql request.
if your read session request is :
SELECT DataValue FROM sessions WHERE SessionID='$aKey'
this generic cookie could succeed to access others session: PHPSESSID=1' OR SessionID LIKE '%>>
for safety, you can make this verification before sql request:
if (! preg_match('/^([0-9a-f]{32})$/i',$aKey)) return NULL;
hope this can be helpful


ccav

Ok, after much hairpulling, I've figured out a successful way to store objects in a session using a postgresql savehandler.
function write ($id, $sess_data)
{
 global $sql;  // my global db connection object
 $sess_data = @pg_escape_bytea(serialize($sess_id)); //works with any type
 $sql->Query("delete from sessions where sessionid = '$id'"); // delete old session record
 $sql->Query("insert into sessions (sessionid,datavalue) values ('$id', '$sess_data')");  //insert into session table
 return true;
}
function read ($id)
{
 global $sql;
 $result=$sql->Query("select * from sessions where sessionid = '$id'");
 if ($sql->rows==1) {
   $row=$sql->Fetch(0);
   $rval = unserialize(@pg_unescape_bytea($sql->data[2]));
   return $rval;
 } else {
   return "";
 }
}
Make the datavalue column (the one used to store the actual session data) in the sessions table type bytea.
The problem apparently lies in the PHP serialize for objects, where there is a CR/LF inserted between the object id and the property array.  The CR/LF isn't escaped, and causes a fit for postgresql.
Any data type in PHP can be serialized, so there's no need to distinguish between types.
The object is fully restored, with methods.


stalker

object- and mysql-based session-handler, requires the following table:
CREATE TABLE `ws_sessions` (
 `session_id` varchar(255) binary NOT NULL default '',
 `session_expires` int(10) unsigned NOT NULL default '0',
 `session_data` text,
 PRIMARY KEY  (`session_id`)
) TYPE=InnoDB;
<?php
class session {
   // session-lifetime
   var $lifeTime;
   // mysql-handle
   var $dbHandle;
   function open($savePath, $sessName) {
      // get session-lifetime
      $this->lifeTime = get_cfg_var("session.gc_maxlifetime");
      // open database-connection
      $dbHandle = @mysql_connect("server","user","password");
      $dbSel = @mysql_select_db("database",$dbHandle);
      // return success
      if(!$dbHandle || !$dbSel)
          return false;
      $this->dbHandle = $dbHandle;
      return true;
   }
   function close() {
       $this->gc(ini_get('session.gc_maxlifetime'));
       // close database-connection
       return @mysql_close($this->dbHandle);
   }
   function read($sessID) {
       // fetch session-data
       $res = mysql_query("SELECT session_data AS d FROM ws_sessions
                           WHERE session_id = '$sessID'
                           AND session_expires > ".time(),$this->dbHandle);
       // return data or an empty string at failure
       if($row = mysql_fetch_assoc($res))
           return $row['d'];
       return "";
   }
   function write($sessID,$sessData) {
       // new session-expire-time
       $newExp = time() + $this->lifeTime;
       // is a session with this id in the database?
       $res = mysql_query("SELECT * FROM ws_sessions
                           WHERE session_id = '$sessID'",$this->dbHandle);
       // if yes,
       if(mysql_num_rows($res)) {
           // ...update session-data
           mysql_query("UPDATE ws_sessions
                        SET session_expires = '$newExp',
                        session_data = '$sessData'
                        WHERE session_id = '$sessID'",$this->dbHandle);
           // if something happened, return true
           if(mysql_affected_rows($this->dbHandle))
               return true;
       }
       // if no session-data was found,
       else {
           // create a new row
           mysql_query("INSERT INTO ws_sessions (
                        session_id,
                        session_expires,
                        session_data)
                        VALUES(
                        '$sessID',
                        '$newExp',
                        '$sessData')",$this->dbHandle);
           // if row was created, return true
           if(mysql_affected_rows($this->dbHandle))
               return true;
       }
       // an unknown error occured
       return false;
   }
   function destroy($sessID) {
       // delete session-data
       mysql_query("DELETE FROM ws_sessions WHERE session_id = '$sessID'",$this->dbHandle);
       // if session was deleted, return true,
       if(mysql_affected_rows($this->dbHandle))
           return true;
       // ...else return false
       return false;
   }
   function gc($sessMaxLifeTime) {
       // delete old sessions
       mysql_query("DELETE FROM ws_sessions WHERE session_expires < ".time(),$this->dbHandle);
       // return affected rows
       return mysql_affected_rows($this->dbHandle);
   }
}
$session = new session();
session_set_save_handler(array(&$session,"open"),
                        array(&$session,"close"),
                        array(&$session,"read"),
                        array(&$session,"write"),
                        array(&$session,"destroy"),
                        array(&$session,"gc"));
session_start();
// etc...
?>


rudy dot metzger

NOTE: as from php-5.0.5, objects are destroyed BEFORE the session_write() is called! So if you use an object as custom session handler, your writes will fail, as at the moment of write the object is already destroyed. A workaround for this is to use session_write_close() in the __destruct() of the object. This however only works if you do not need any other objectes, as these already might be gone! I only hope that object are destroyed in "descening" order, as if you would have a DB object in the session handler object which handles the DB connects, you would have to use __destruct() also in this object. otherwise your session object is still alive but your DB is long gone...
I raised a bug for this already but it is claimed that this is no bug.
This only applies to versions 5.0.5 (and possibly higher)


markus

Note that there's a bug with custom session handlers and when you want to start a session again after you have called session_destroy.
session_destroy disables the custom session_handler and this a call to session_start after it will fail with "Failed to initialize storage module".
See http://bugs.php.net/32330 for more information and a workaround.


information

Note that if session.auto_start is set to On in the php.ini, your session_set_save_handler will return false as the session has already been initialized.
If you are finding that your code works OK on one machine but doesn't work on another, check to see if session.auto_start is set to On


matt

Note that for security reasons the Debian and Ubuntu distributions of php do not call _gc to remove old sessions, but instead run /etc/cron.d/php*, which check the value of session.gc_maxlifetime in php.ini and delete the session files in /var/lib/php*.  This is all fine, but it means if you write your own session handlers you'll need to explicitly call your _gc function yourself.  A good place to do this is in your _close function, like this:
<?php
function _close() {
   _gc(get_cfg_var("session.gc_maxlifetime"));
  // rest of function goes here
}
?>


niklas

Many people are using session_set_save_handler to store the session in a session database, which ofcourse is both valid and smart since it (could) increas security.
What many people forgets, is that session ids can easily be edited by a user as he see fit (by editing a session_cookie for example*)
* If you like to play around to test your site, check Add n edit Cookies extension for firefox.
This might not be a big deal when saving them in a file, since the worst thing that may happen is that the user losts his session and a new one is generated. But when saving to an DB it is*. One should never trust that the server itself add slashes and escapes other vital characters.
* A google search for "SQL Injection" gives 716 000 hits.
Example code, none working:
<?PHP
   function read ($session_id)
   {
$sql        = mysql_query("SELECT * FROM mysessions WHERE session_id=$session_id");
       $data= mysql_fetch_array($sql);
       }
   }
?>
Is obviously flawed. Since setting our session ID to "; drop mysessions; " would create serious problems.
A more suitable approch would be, something in the lines of:
Example code, none working:
<?PHP
   function read ($session_id)
   {
  // ( Code by php.net )
  if (get_magic_quotes_gpc()) {
      $session_id = stripslashes($session_id);
  }
  // Quote if not integer
  if (!is_numeric($session_id)) {
      $session_id = mysql_real_escape_string($session_id);
  }
$sql        = mysql_query("SELECT * FROM mysessions WHERE session_id=$session_id");
       $fieldarray = mysql_fetch_array($sql);
       }
   }
?>
I quick checked different sample codes and tutorials and none of them actually escaped session ids.
That's my two cents for too night,
Niklas


ivo

Just a few words to explain some troubles while using session_set_save_handler(). It appears that internally PHP calls session management functions in this order: open(), read(), write(), close(). Close() function is called even if you does not make a call to sesison_start(), perhaps for some reasons like cleaning.
  If you try to redefine these functions and call sessions_set_save_handler() but something doesn't work, (in my case the ssion data hasn't been written) it's a good idea to debug them in the order they are called. They doesn't produce error output to browser but you can use print or echo.
  Shortly, if your write() function doesn't work as expected take a look for errors in previous functions - open() and read().
  I hope that this will help to save someone few hours debugging.


monty

It's really important to apply addslashes() to the serialized values passed to your custom session Write handler if you are using MySQL for storing sessions, even if you have magic_quotes turned on. Otherwise, values stored in $_SESSION will not be saved with the actual session in MySQL, or will be truncated.
<?
function sessWrite($key, $val) {
   $val = addslashes($val);
   // Now do your database insert here.
   return TRUE;
}
?>
Without addslashes(), the above handler would simply not work, and you will get no error back from PHP about it either.


korvus

It seems when you call 'session_name()', php loads the session id automatically from GET ( if the index exists ) and passes it to the 'read' callback method correctly, but the 'write' callback is invoked twice: first the auto-generated session id, then the custom session id
So be aware of what queries you execute inside the callback .. I got crazy because I used a MySQL 'REPLACE' statement to agilize, and I spent a lot of hours trying to understand why 2 rows instead of 1 were being affected ( the first id was inserting, the second updating )
I hope this helps!


mixailo

It is useful to use MEMORY storage engine in MySQL while handling sessions.
http://dev.mysql.com/doc/refman/5.0/en/memory-storage-engine.html


rsumibcay

In the below example posted by "shaun at shaunfreeman dot co dot uk". You shouldn't call gc() within the close() method. This would undermine PHP's ability to call gc() based on session.gc_probability and session.gc_divisor. Not to mention an expensive database hit if you are calling gc() on every request. This can become more problematic for load balanced servers talking to a single database server. And even more expensive if the database is setup to replicate your data for failover.

jonathan zylstra

In response to  korvus at kgstudios dot net
11-Jun-2005 05:34:
Actually, using MySQL REPLACE, and getting the number of
affected rows = 2, means that one row was being deleted,
and one row being inserted.
That would happen if your session id was already in the database, and you write to it using 'REPLACE' ... it deletes the old session data, and REPLACE's it with the updated session data, thus resulting in two affected rows.
See:
http://dev.mysql.com/doc/refman/4.1/en/replace.html
I would be careful in assuming that the 'write' callback is called twice because of the behavior of your SQL code.


cthree

In reply to rudy dot metzger at pareto dot nl:
One option to work around this problem is to instantiate your database connection from within session class:
class Session {
 public $db;
 public function open( $path, $name ) {
   $this->db = mysql_connect(...); // or whatever works
   return true;
 }
 ...
 public function close() {
   mysql_close( $this->db ); // or whatever works
   return true;
 }
}
$session = new Session;
session_set_save_handler(
 array(&$session, "open"),
 ...
 array(&$session, "close"),
 ...
 );
session_start();
$db =& $session->db;
...
HTH


mastabog

In regard to the note dated 28-Jan-2006 09:15 (there is no email) and the webpage it links to.
That is not the way objects should be saved into session. You should not just assign the entire object to $_SESSION['myObj'] and hope for the best while waiting for the script to end and for the php internal engine to serialize your object, call destructors etc.
You should serialize your object beforehand by specifically calling serialize() on your object and assign the serialized string to a session key.
Yeah, You might be wondering if this isn't defeating the whole purpose. It's not. This way you are sure that your object is serialized correctly and don't have to worry about how session handlers mess with it. You now have a string variable to assign wherever you want and you avoid all the mess of session write()/close() being called before object destructors. You also have more control over the state of the object you want to save into session (the serialized object will not reflect changes done to the object after serialization) and will also end up with a code that is more likely to survive over time in case the guys at PHP decide to make other changes to the session functions.
Marcus has recently introduced the Serializable interface (php 5.1.2) which IMO will improve things *a lot* and is the right way to serialize objects. The problem with it though is that it breaks object references in some cases. I already made a bug report here: http://bugs.php.net/bug.php?id=36424
You can mimic the Serializable interface's methods by adding a public method to your classes that assigns serialize($this) to $_SESSION['myObj'] and another static method that acts as a constructor, returning unserialize($_SESSION['myObj']). This way you have even more control for serializing your objects as you can modify your Foo::serialize()/unserialize() methods to perform other tasks as well.
<?php
class Foo
{
   const SESSION_KEY = 'someKeyName';
   // ...
   // other definitions go here
   // ...
   static function unserialize ($key = self::SESSION_KEY)
   {
       return isset($_SESSION[$key]) ? unserialize($_SESSION[$key]) : false;
   }
   public function serialize ($key = self::SESSION_KEY)
   {
       $_SESSION[$key] = serialize($this);
   }
}
$Obj = new Foo();
// do somehting on $Obj here
$Obj->serialize();
// continue until the end of script
?>
When getting your object from session you just do:
<?php
// try getting your obj from session
$Obj = Foo::unserialize();
// and to make sure you do a valid Foo instance:
// (you can also do this inside Foo::unserialize() if you want)
$Obj instanceOf Foo or $Obj = new Foo();
?>
If you need to save multiple instances of the same class then just pass a different parameter to Foo::serialize() and Foo::unserialize(). You can also extend your classes over a class like Foo above and overload the Foo::serialize()/unserialize() methods. Of course, you can do all that without having dedicated methods in your classes (yuck).


boswachter

If you're creating a sessionhandler class, and use a database-class and you are experiencing problems because of destroyed objects when write is called, you can fix this relatively easily:
register_shutdown_function("session_write_close");
This way, the session gets written of before your database-class is destroyed.


steve

if you want to call session_start again after session_destroy, you have to call session_set_save_handler a second time. otherwise the session module doesn't know about all the nice functions you defined earlier because it has been destroyed.
example:
# session handlers functions are defined
# somewhere else
session_set_save_handler ("sess_open", "sess_close", "sess_read", "sess_write", "sess_destroy", "sess_gc");
session_start();
# do some stuff ...
session_destroy();
# call this again, because session_destroy
# destroys more than just the session.
session_set_save_handler ("sess_open", "sess_close", "sess_read", "sess_write", "sess_destroy", "sess_gc");
session_start();
...
we need to call session_start() twice in our login script to prevent multiple logins. i tore my hair out over this one. hope this helps someone else. :)


ysu

if you have the problem [markus at fischer dot name]
mentioned earlier with the "Failed to initialize storage module" error (I do), you can simply call session_set_save_handler() again after the  session_write_close() and before another session_start() as a temp. workaround...


joe wheeler

If you happen to want to build a session manager object you can set the handlers from inside the class. This helps to keep the class encapsulated which helps make it nice and reusable.
class Session_manager {
...
   session_set_save_handler(
       array(& $this, 'session_open_method'),
       array(& $this, 'session_close_method'),
       array(& $this, 'session_read_method'),
       array(& $this, 'session_write_method'),
       array(& $this, 'session_destroy_method'),
       array(& $this, 'session_gc_method')
   );
...
}
Each handler is identified by an array containing a self-reference to the instance (note the &) and a string identifying a method in the session manager class.
Remember that the new operator passes back a copy of the object. This is important if you want to call session_set_save_handler() from inside the class constructor. You must remember to use another reference when you create the instance...
$my_session_manager = & new Session_manager;
Otherwise the session handlers will be assigned to an instance which is created by the new operator and NOT to the copy which is stored in the variable $my_session_manager.


balu

If a session is closed the save-handlers seem to be resetted (in PHP 4.1.2 they are), so you need to run session_set_save_handler() again after e.g. running session_write_close() and restarting the session with session_start();

james

I think it is very important here to stress that the WRITE method should use UPDATE+INSERT (or mysql specific REPLACE).
There is example code "out there" that uses just UPDATE for the write method, in which case, when session_regenerate_id is called, session data is lost (as an update would fail, as the key has changed).
I've just wasted a whole day due to this (I know I should have thought it through / RTFM, but it is an easy trap to fall into).


equazcion

I know this might be obvious, but session_set_save_handler() should only be called once per session, or else your saved data will keep getting reset.
If your script doesn't have a predictable start page that will only be called only once per session, place the session_set_save_handler statement in an include file, and call it via require_once().


jaik

I have something to add to the note from rudy dot metzger at pareto dot nl.
As objects are being destroyed before sessions are written as of PHP 5.0.5, we can use a __destruct() method to call session_write_close() in a class-based session handler.
It is possible for your session handling class to use other objects. It's just a matter of calling session_write_close() at the end of your script, rather in a __destruct() method.
eg.
<?php
echo "You've been to this page " . $oSession->hits . " times before";
$oSession->hits++;
session_write_close();
?>
It's generally best to make declare a function in your common include file(s) that is called at the end of every script on your site. That way you can do any cleanups you need, and also call session_write_close().


tonanbarbarian

I found the need to have a garbage collection function run with my sessions so I had to write my own session handler.
I took the example code above but found that it had a problem, it does not open the session file exclusively.
This means that if you have a frameset where 2 pages are accessing the session at the same time and both modify the session only the last page to finish processing will have its session data saved. The first page will have all of its session data overwritten.
So here is a modified version of a file session handler in PHP that has file locking. (Not supported on FAT or NFS apparently)
$sess_save_path = $sess_session_name = $fp=null;
function open ($save_path, $session_name) {
 global $sess_save_path, $sess_session_name;
     
 $sess_save_path = $save_path;
 $sess_session_name = $session_name;
 return(true);
}
function close() {
 global $fp;
 flock($fp, LOCK_UN);
 fclose($fp);
 $fp=null;
 return(true);
}
function read ($id) {
 global $sess_save_path, $sess_session_name, $fp;
 $sess_file = "$sess_save_path/sess_$id";
 if ($fp = @fopen($sess_file, "r+")) {
   flock($fp, LOCK_EX);
   $sess_data = fread($fp, filesize($sess_file));
   return($sess_data);
 } else {
   return(""); // Must return "" here.
 }
}
function write ($id, $sess_data) {
 global $sess_save_path, $sess_session_name, $fp;
 $sess_file = "$sess_save_path/sess_$id";
 if (!empty($fp)) {
   fseek($fp,0);
   return(fwrite($fp, $sess_data));
 } elseif ($fp = @fopen($sess_file, "w")) {
   flock($fp, LOCK_EX);
   return(fwrite($fp, $sess_data));
 } else {
   return(false);
 }
}
function destroy ($id) {
 global $sess_save_path, $sess_session_name;
     
 $sess_file = "$sess_save_path/sess_$id";
 return(@unlink($sess_file));
}
function gc ($maxlifetime) {
   global $sess_save_path, $sess_session_name;
     
 $sess_file = "$sess_save_path/sess_$id";
 return true;
}
session_set_save_handler ("open", "close", "read", "write", "destroy", "gc");
enjoy


turan yilmaz

I found a very good written custom session handling code from:http://www.zend.com/zend/spotlight/code-gallery-wade8.php

maximumpig

I believe equazcion is not correct--the environment is refreshed with each script so session_set_save_handler() should be called with each script, not once per session.

rafael dot tz

Hi people! I was wondering about a MySQL Sessions control... Here is some of my work, a little mod on some cods that I've found this far:
if(!mysql_table_exists("sessions",$DB))
{
      $query = 'CREATE TABLE sessions
                (
                 SessionID     char(255)   not null,
                 LastUpdated   datetime    not null,
                 DataValue     text,
                 PRIMARY KEY ( SessionID ),
                 INDEX ( LastUpdated )
                )';
      mysql_query($query);
}
                           
function sessao_open($aSavaPath, $aSessionName)
{
      global $aTime;
      sessao_gc( $aTime );
      return True;
}
function sessao_close()
{
      return True;
}
function sessao_read( $aKey )
{
      $query = "SELECT DataValue FROM sessions WHERE SessionID='$aKey'";
      $busca = mysql_query($query);
      if(mysql_num_rows($busca) == 1)
      {
            $r = mysql_fetch_array($busca);
            return $r['DataValue'];
      } ELSE {
            $query = "INSERT INTO sessions (SessionID, LastUpdated, DataValue)
                      VALUES ('$aKey', NOW(), '')";
            mysql_query($query);
            return "";
      }
}
function sessao_write( $aKey, $aVal )
{
      $aVal = addslashes( $aVal );
      $query = "UPDATE sessions SET DataValue = '$aVal', LastUpdated = NOW() WHERE SessionID = '$aKey'";
      mysql_query($query);
      return True;
}
function sessao_destroy( $aKey )
{
      $query = "DELETE FROM sessions WHERE SessionID = '$aKey'";
      mysql_query($query);
      return True;
}
function sessao_gc( $aMaxLifeTime )
{
      $query = "DELETE FROM sessions WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(LastUpdated) > $aMaxLifeTime";
      mysql_query($query);
      return True;
}
session_set_save_handler("sessao_open", "sessao_close", "sessao_read", "sessao_write", "sessao_destroy", "sessao_gc");


keamos

Here's a set of session-handling functions that uses PEAR::DB  and a database to store the php sessions. The only assumption I make is your PEAR::DB object is called $db.
mySQL:
CREATE TABLE `sessions` (
 `sessionid` varchar(40) binary NOT NULL default '',
 `expiry` int(10) unsigned NOT NULL default '0',
 `value` text NOT NULL,
 PRIMARY KEY  (`sessionid`)
) TYPE=MyISAM COMMENT='Sessions';
<?
$sessionLifetime = get_cfg_var("session.gc_maxlifetime");

function _openSession($savePath, $id)
{
//We don't need to create any new file handles, et cetera
return TRUE;
}
function _closeSession()
{
//We don't need to close any file handles, et cetera
return TRUE;
}
function _readSession($sessionid)
{
global $db, $sessionLifetime;
$sessionid = $db->quoteSmart($sessionid);
$time = time();
$sql = 'SELECT `value` FROM ' . SESSIONS_TABLE . " WHERE `sessionid`=$sessionid AND `expiry` > $time";
$result = $db->getOne($sql);

if (PEAR::isError($result))
{
//Must return "" because php.net says so
return "";
}
else
{
return $result;
}
//Something slipped through the cracks, so throw an error
return "";
}
function _writeSession($sessionid, $sessionData)
{
global $db, $sessionLifetime;
$expiry = time() + $sessionLifetime;
$sessionid = $db->quoteSmart($sessionid);
$sessionData = $db->quoteSmart($sessionData);
$sql = 'SELECT `expiry` FROM ' . SESSIONS_TABLE . " WHERE `sessionid`=$sessionid";
$result = $db->getOne($sql);
if ($result === NULL)
{
$sql = 'INSERT INTO ' . SESSIONS_TABLE . " (`sessionid`, `expiry`, `value`) VALUES ($sessionid, $expiry, $sessionData)";
$result = $db->query($sql);
if (PEAR::isError($result))
{
//error of some sort
return FALSE;
}
return TRUE;
}
else
{
$sql = 'UPDATE `' . SESSIONS_TABLE . "` SET `expiry`=$expiry, `value`=$sessionData WHERE `sessionid`=$sessionid";
$result = $db->query($sql);
//Something went wrong
if (PEAR::isError($result))
{
return FALSE;
}
return TRUE;
}
//Something slipped through, so throw an error
return FALSE;
}
function _destroySession($sessionid)
{
global $db;
$sessionid = $db->quoteSmart($sessionid);
$sql = 'DELETE FROM ' . SESSIONS_TABLE . " WHERE `sessionid`=$sessionid";
$result = $db->query($sql);
if (!PEAR::isError($result))
{
return TRUE;
}
return FALSE;
}
function _gcSession($maxlifetime)
{
global $db;
$time = $db->quoteSmart(time());
$sql = 'DELETE FROM ' . SESSIONS_TABLE . " WHERE expiry < $time";
$result = $db->query($sql);
if (PEAR::isError($result))
{
return 0;
}
return $db->affectedRows();
}
session_set_save_handler("_openSession", "_closeSession", "_readSession", "_writeSession", "_destroySession", "_gcSession");
?>


17-jan-2006 09:04

function __construct() {
session_set_save_handler(array(&$this, 'open'),
                        array(&$this, 'close'),
                        array(&$this, 'read'),
                        array(&$this, 'write'),
                        array(&$this, 'destroy'),
                        array(&$this, 'gc'));
register_shutdown_function('session_write_close');
session_start();
}


andrew

For those interested in a postgresql version.  Seems to work but dont come crying to me when it eats your pistachio nuts!
<?
Derived from php file version on website, changes copyright andrew@netrux.com.
/*
create table sessions(
sessionid     char(255) primary key not null,
lastupdated   timestamp not null,
datavalue     text);
*/
function open ($save_path, $session_name) {
 $sess_conn=pg_connect("host=localhost dbname= user=postgres")
  or die ("PostgreSQL error: --> " . pg_last_error($sess_conn));
 return(true);
}
function close() {
 return(true);
}
function read ($id) {
 $result=pg_query("select * from sessions where sessionid = '$id'")
  or die ("PostgreSQL error: --> " . pg_last_error($sess_conn));
 if (pg_num_rows($result)==1) {
   $row=pg_fetch_array($result);
   return($row[2]);
 } else {
   return("");
 }
}
function write ($id, $sess_data) {
   pg_query("delete from sessions where sessionid = '$id'")
    or die ("PostgreSQL error: --> " . pg_last_error($sess_conn));
   pg_query("insert into sessions(sessionid,lastupdated,datavalue) values('$id','now'::timestamp,'$sess_data')")
    or die ("PostgreSQL error: --> " . pg_last_error($sess_conn));
   return(true);
}
function destroy ($id) {
 pg_query("delete from sessions where sessionid = '$id'")
  or die ("PostgreSQL error: --> " . pg_last_error($sess_conn));
 pg_close($sess_conn);
 return(true);
}
/*********************************************
* WARNING - You will need to implement some *
* sort of garbage collection routine here.  *
*********************************************/
function gc ($maxlifetime) {
 return true;
}
session_set_save_handler ("open", "close", "read", "write", "destroy", "gc");
?>


oliver

For some people it might be important to know, that if the standard session handler has been overwritten with session_set_save_handler, no locking is working anymore (between session_read and session_write). The following might happen:
script "A" start         .
read session data        .
.                        script "B" start
.                        read session data
running (30secs)         add session data
.                        write sesion data
.                        script "B" stop
write session data       .
script "A" stop          .
If a script "A" runs for a long time (say 30secs) the same user might start another script "B", which also uses a session. Script "B" will start and read session data, even though script "A" is still running. Because script "B" is much faster it will finish its work and write back its session data before script "A" has ended. Now script "A" ends and overwrites all of script "B"'s session data. If you DON'T use session_set_save_handler, this cannot happend, because in this case, PHP will not start script "B" until script "A" ends.


ido
Encrypted Sessions:  For those who are either sending their session data in the clear (i.e.: MySQL connections without SSL), or who have sensitive data stored in sessions (such as credit card information!) and wish to protect their users.
I have placed a link to a very crude example of session data encryption for MySQL-based session handling below:
http://www.cs.uchicago.edu/~ido/session_include_php.txt
I apologize if the code is a bit sloppy.  I might release some of my better code for this kind of thing if I have time to delete any site-specific references from that code.
Donate to my college education:)
http://www.cs.uchicago.edu/~ido/donate.php  
Motivation: While most online merchants do not store personal or credit card information in plaintext, most use standard sessions provided by PHP or other database session handlers which store session data in the clear.  Most shopping cart solutions store very sensitive data in session variables.
I hope I can convince more of my fellow web developers to make the minimal effort to protect privacy and confidentiality of user data by encrypting session data prior to storage. All sites developed (even in part) by me feature session data encryption, most of which feature automatic monthly regeneration of random encryption keys (and flawless auto-rollover to the new keys).
In practice, you would probably want to store the symmetric key in a safer location, such as in your Apache config file as a PHP global variable.  Regardless, encryption should be a minimal precaution when sensitive data (session data, for example) is sent across a network -- such as when your database and web servers are on different hosts, or when your database server is on a machine which you cannot ensure is secure.


colin

Aspects of this have been posted in various comments but it's helpful to make it clearer.
The custom session handler seems to perform actions in these orders:
When session_start() is called:
open
read
clean (if cleaning is being done this call)
write
close
When session_destroy() is called after session_start():
open
read
clean (if cleaning is being done this call)
destroy
close
When session_regenerate_id(1) is called after session_start():
open
read
clean (if cleaning is being done this call)
destroy
write
close


28-jan-2006 05:15

As posted here (http://marc.theaimsgroup.com/?l=php-general&m=113833844422096&w=2) the session module cannot handle objects anymore (tested in 5.1.2).
You have to add
> session_write_close();
at the end of your script to save the object values into the session.
This may indicate general problem. session_write_close() is called in the session module's rshutdown() method, which is much too late: Since 5.1 the zend_object_store is cleaned before the module's rshutdown hook is called.  Furthermore it is not guaranteed that the session module's rshutdown method is called before your module's rshutdown gets called.
In other words: Session shutdown seems to be broken in all PHP versions. It is better to always add session_write_close() to the end of your scripts.  This works with all php versions and it will work with future versions of php whether or not this problem gets fixed.


shaun

After much messing around to get php to store session in a database and reading all these notes, I come up with this revised code based on 'stalker at ruun dot de' class.
I wanted to use PEAR::MDB2. The only assumption I make is your PEAR::MDB2 object is called $db
SQL:
CREATE TABLE `sessions` (
 `session_id` int(10) unsigned NOT NULL auto_increment,
 `session` varchar(255) character set utf8 collate utf8_bin NOT NULL,
 `session_expires` int(10) unsigned NOT NULL default '0',
 `session_data` mediumtext collate utf8_unicode_ci,
 PRIMARY KEY  (`session_id`),
 KEY `session` (`session`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci
<?php
class Session {
// session-lifetime
public $lifeTime;
function __construct ($db) {
// get session-lifetime
$this->lifeTime = get_cfg_var("session.gc_maxlifetime");
      // open database-connection
$this->mdb2 =& MDB2::factory($db);
if (PEAR::isError($this->mdb2)) {
$php_errormsg .= $this->mdb2->getMessage();
$php_errormsg .= $this->mdb2->getDebugInfo();
}
session_set_save_handler(array(&$this, 'open'),
array(&$this, 'close'),
array(&$this, 'read'),
array(&$this, 'write'),
array(&$this, 'destroy'),
array(&$this, 'gc'));
register_shutdown_function('session_write_close');
session_start();
  return true;
}
function open($savePath, $sessName) {
// get session-lifetime
$this->lifeTime = get_cfg_var("session.gc_maxlifetime");
return true;
}
function close() {
$this->gc(ini_get('session.gc_maxlifetime'));
// close database-connection
return $this->mdb2->disconnect();
}
function read($sessID) {
global $php_errormsg;
// fetch session-data
$query = "
SELECT session_data FROM sessions
WHERE session = '$sessID'
AND session_expires >
".time();
$result = $this->mdb2->queryOne($query);
// return data or an empty string at failure
if (MDB2::isError($result)) {
$php_errormsg .= $result->getMessage();
$php_errormsg .= $result->getDebugInfo ();
return false;
}
return $result;
}
function write($sessID,$sessData) {
global $php_errormsg;
// new session-expire-time
$newExp = time() + $this->lifeTime;
// is a session with this id in the database?
$query = "
SELECT * FROM sessions
WHERE session = '$sessID'
";
$result = $this->mdb2->query($query);
// if yes,
  if($result->numRows()) {
// ...update session-data
$query = "
UPDATE sessions
SET session_expires = '$newExp',
session_data = '$sessData'
WHERE session = '$sessID'
";
  }
// if no session-data was found,
  else {
// create a new row
$query = "
INSERT INTO sessions (
session,
  session_expires,
  session_data)
VALUES(
'$sessID',
  '$newExp',
  '$sessData')
";
  }
$result = $this->mdb2->exec($query);
// if something happened, return true
if (MDB2::isError($result)) {
$php_errormsg .= $result->getMessage();
$php_errormsg .= $result->getDebugInfo ();
return false;
} else {
// ...else return true
return true;
}
}
function destroy($sessID) {
global $php_errormsg;
// delete session-data
$query = "
DELETE FROM sessions
WHERE session = '$sessID'
";
$result = $this->mdb2->exec($query);
// if session was not deleted, return false,
if (MDB2::isError($result)) {
$php_errormsg .= $result->getMessage();
$php_errormsg .= $result->getDebugInfo ();
return false;
} else {
// ...else return true
return true;
}
}
function gc($sessMaxLifeTime) {
global $php_errormsg;
// delete old sessions
$query = "
DELETE FROM sessions
WHERE session_expires <
".time();
$result = $this->mdb2->exec($query);
// return affected rows
if (MDB2::isError($result)) {
$php_errormsg .= $result->getMessage();
$php_errormsg .= $result->getDebugInfo ();
}
return $result;
}
}
?>


16-mar-2004 12:41

@andrew at netrux dot com
never forget: always add escaping when building sql strings.
mysql_escape_string() / pg_escape_string() or whatever is your friend.


Change Language


Follow Navioo On Twitter
session_cache_expire
session_cache_limiter
session_commit
session_decode
session_destroy
session_encode
session_get_cookie_params
session_id
session_is_registered
session_module_name
session_name
session_regenerate_id
session_register
session_save_path
session_set_cookie_params
session_set_save_handler
session_start
session_unregister
session_unset
session_write_close
eXTReMe Tracker