NYCPHP Meetup

[Joseph Crawford]

Hello Everyone,

I have implemented my session handling to take place in the database rather 
than flat files on the system. No i have a question. I read somewhere that 
it is always good to check the IP of the user to make sure the session has 
not been hijacked. Would the following be secure enough for that?


<?php

class session
{
/* Define the mysql table you wish to use with
this class, this table MUST exist. */
private $table = "sessions";
private $_db;
private $_page;
private $_sess_id;
private $_ip;


public function __construct(Database $db) {
$this->_db = $db;
}

public function init() {
$this->_sess_id = session_id();
$this->_page = $_SERVER['REQUEST_URI'];
$this->_ip = $_SERVER['REMOTE_ADDR'];

$this->CheckIP();
}

public function open($path, $name) {

return TRUE;
}

/* Close session */
public function close() {
/* This is used for a manual call of the
session gc function */
$this->gc(0);
return TRUE;
}

/* Read session data from database */
public function read($ses_id) {

$session_sql = "SELECT * FROM " . $this->table
. " WHERE ses_id = '$ses_id'";
$session_res = $this->_db->Query($session_sql);
if (!$session_res) {
return '';
}

$session_num = $this->_db->NumRows($session_res);
if ($session_num > 0) {
$session_row = $this->_db->FetchArray($session_res);
$ses_data = $session_row["ses_value"];
return $ses_data;
} else {
return '';
}
}

/* Write new data to database */
public function write($ses_id, $data) {

$this->init();

$session_sql = "UPDATE " . $this->table
. " SET ses_time='" . time()
. "', page='".$this->_page
. "', ses_value='$data' WHERE ses_id='$ses_id'";
$session_res = $this->_db->Query($session_sql);
if (!$session_res) return FALSE;

if($this->_db->AffectedRows()) return TRUE;

$session_sql = "INSERT INTO " . $this->table
. " (ses_id, ses_time, ses_start, page, ip, ses_value)"
. " VALUES ('$ses_id', '" . time()
. "', '" . time() . "', '$this->_page', '$this->_ip', '$data')";
$session_res = $this->_db->Query($session_sql);
if (!$session_res) return FALSE;
else return TRUE;
}

/* Destroy session record in database */
public function destroy($ses_id) {
$session_sql = "DELETE FROM " . $this->table
. " WHERE ses_id = '$ses_id'";
$session_res = $this->_db->Query($session_sql);
if (!$session_res) return FALSE;
else return TRUE;
}

/* Garbage collection, deletes old sessions */
public function gc($life) {
$ses_life = strtotime("-5 minutes");

$session_sql = "DELETE FROM " . $this->table
. " WHERE ses_time < $ses_life";
$session_res = $this->_db->Query($session_sql);


if (!$session_res) return FALSE;
else return TRUE;
}

private function UpdatePage() {
$session_sql = "UPDATE ".$this->table." SET 
page='".mysql_real_escape_string($this->_page)."' WHERE 
ses_id='".$this->_sess_id."'";
$this->_db->Query($session_sql);
}

 private function CheckIP() {
$intIP = explode('.', $this->_ip);
$curIP = explode('.', $_SERVER['REMOTE_ADDR']);
if( !strcmp($intIP, $curIP) ) {
$sess_sql = "DELETE FROM ".$this->table." WHERE 
ses_id='".$this->_sess_id."'";
$this->_db->Query($sess_sql);
session_destroy();
}
}
}
?>


Is this a good enough check for the IP? If the IP check fails it should 
remove the session from the database, but also it calls session_destroy Why 
did i do it this way rather than just calling $this->destroy() or just using 
session_destroy? I noticed that it was not actually removing the session 
from the database if i did not actuall make the database query myself. Any 
criticism would be appreciated as this is my first attempt at storing 
sessions in the database (with the help of a zend tutorial)
-- 
Joseph Crawford Jr.
Codebowl Solutions, Inc.
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050801/e4ee8e44/attachment.html>