Hi guys

 

I'm building a method to my php site that will validate a user's session. One of the functions in that method is going through a Database with saved sessionIDs, and verifying that they are active. If a sessionID is not active, it should be deleted from the db.

 

I can't find a way to go over the active sessions in PHP. I know how to get the params of a single session (like, the one the user is currently configured with), but if I want to go through (server side of course) the full list of all active sessions and get their IDs, I just can't find a way.

 

There must be one... help...

 

~moo

As far as I am aware, using the default PHP session handling, the data for each session is stored in a file in the directory listed in "session.save_path" in the config.

Your best bet if you want to treat it like a database is to use session_set_save_handler to customise the behaviour of the session handling so that it writes and reads it's information from a database that you can query.

 

Another option might be looking for files of the right filenames and so on in the correct directory but this is certainly not guaranteed to give you just your sessions (depending on how the server is setup to run php and how php is configured) and is not an ideal solution.

 

Alot of people will suggest that if you are planning for this to ever run of a shared server and the session data should be kept secure, you should probably write some form of custom session handling to keep away from the php default, as it is entirely insecure, as it is trivial for other people being hosted on your webserver to look into the directory used for storing temporary session files (using /tmp/ on linux).

 

Theres alot more info here - http://uk.php.net/manual/en/ref.session.php

Your best bet if you want to treat it like a database is to use session_set_save_handler to customise the behaviour of the session handling so that it writes and reads it's information from a database that you can query.

I can't find reference for that. Can you give me a code snippet, or explain how? I am starting to get quite frustrated.

 

Or.. maybe.. if you have any other idea as to how to validate a user? I have a login form, but since my website will be open to university students, i want to make SURE that sessions are valid. So when someone logs in his IP address and sessionID are set into a DB.

 

Then, to validate, I want to go do two things:

1. Make sure that sessionID fits IPAddress and therefore the specific user is validated.

2. Go through all DB entries, and check if the sessionids in it are still active sessions (which is my problem now).

 

Any other ideas? Or any ideas on how to solve this problem? I just can't find a way to do it other than theory.. grr.

 

Thanks!!

 

~moo

There's an example of a custom script in the PHP manual page Aeternus linked to.

 

You could also just use PHP's file manipulation functions to open the temporary directory and walk through the session files. Of course, PHP already checks sessions to see how old they are, and removes them if necessary...

Another way of login check is create a table called 'temp' in ur database ...

 

It has fields such as IPaddress , tempvar(random variable for e.g: askj65634sdvkbsdkv3423) and username ...

 

Check the username and password is correct during login and if so insert into temp table .So, now if other person tries to login with same username and password on eof the two gets logged out bcaz IPaddresse's are different...

 

Try it out..