How PHP Implements Sessions

   <?php    session_start();    $_SESSION['favorite_artist'] - 'Tori Amos';    ?>Currently, my favorite artist is Tori Amos. It may also interest you to    know that my identifer for this browser session, as allocated by PHP, is    <?=session_id()?>.    <BR><BR>    <A HREF="secondpage.php">Go to the second page</A>    ?> 

   <?php    session_start();    ?>Having checked, I can tell you that my favorite artist is still    <?=$_SESSION['favorite_artist']?>.    At the moment, my identifier for this browser session, as allocated by PHP, is    <?=session_id()?>.    <BR><BR>    <A HREF="firstpage.php">Go back to the first page</A>    ?> 

The output there looks quite straightforward. You should see the session variable you created and its contents in plain text:

   favorite_artist|s:9:"Tori Amos"; 

In fact, its format might look familiar. It's the output from the PHP function serialize(), a string representation of a PHP data structure.

Regardless of how complex or large the data structure you create in the $_SESSION variable is, PHP will store its contents in this file by default. The location for storing such files, as well as the length of time for which they are stored, are all settings that can be altered in php.ini.

That's really all there is to native PHP sessions. Let's look now at some of their limitations to see why they can't be used in an enterprise environment.

Limitations of Basic PHP Sessions

There are a few key problems with implementing sessions in this manner, most of which relate to the manner in which PHP stores its session data on disk.

What if you have multiple Web servers servicing your request with a load balancer appliance round-robin dividing traffic between them? You would have to implement some kind of shared /tmp using NFS, and this would be dreadfully slow.

Second, if you're running on a shared Web server (with a hosting company, for example), the directory listing of /tmp is readable by all even if the contents of its files aren't. Given that PHP uses the session identifiers as part of the filename, a malicious fellow user on that Web server could quite easily get a full listing of all the session identifiers created as well as when they were created. This would once again open the door for easy session hijacks as discussed earlier.

Third, this implementation of session handling is not very efficient. Not one of the additional measures discussed earlier is employed for additional security, nor is it easily possible to employ them in this state. So as far as a secure environment for a production Web site using sessions is concerned, PHP session handling in its off-the-shelf state isn't really a viable option.

Finally, given that you store the rest of your application's data in a database, you are bound to have times when you need to construct queries that consult both session variables and database tables in tandem. With session data totally exterior to the database, you must first extract that data using PHP and then inject it into an SQL statement. Serious performance implications are associated with this approach when compared to conducting a single SQL query to extract the data you need. On a production server, for example, this could become quite a serious issue. The solution to this problem is to integrate the PHP session management with a database.

Professional PHP5 (Programmer to Programmer Series)

ISBN: N/A
EAN: N/A

Year: 2003
Pages: 182

BUY ON AMAZON