DB_eSession is a feature packed PHP class that stores session data in a MySQL database rather than files (PHP's default). It is powerful, designed with security in mind, and yet easy to utilize. The code contains lots of comments, it comes with full documentation, and examples of how to use the class including a basic authentication login/logout process. It includes member functions useful (to webmasters) for monitoring or viewing, deleting, and altering sessions validity like in the case of locking one or more sessions upon detection of unauthorized use. This custom MySQL database session handler class might just be what you're looking to implement on your web or intranet site. See the list of features below:

General features:

Stores session data in a MySQL table using PHP's built-in session handler.
Built-in handling of session expiration and cleanup.
Supports the changes of session related configuration settings (inc. PHP5).
Allows for normal or persistent MySQL database connections.
Access to opened MySQL resource connection to use in your script.
Accepts a passed database resource link to use as the DB connection.
Supports session ID's between 12 and 32 characters long.
Custom or changeable database, table and column names.
An option to create new session ID's (you supply, class or PHP builds).
Can initiate buffered output (using ob_start) within the class.
A session_start() automatically initiated within the class.
Can send 'Cache-Control:' header output within the class (fixes IE6 bug).
Ability to retrieve a specific sessions expiration date and time.
Retrieve current session life setting in seconds or minutes.
Retrieve a numeric total of the number of active and inactive sessions in table.
Facility to make assignment and retrieval of session variables easier.
Ability to create manual URI's and links that includes session name and ID.
The ability to retrieve what the MySQL server version number is.
An adequate form of encryption/decryption methods/functions are included and used automatically when libmcrypt is not installed.


Security features:

Standard user inactivity time-out handled automatically.
Absolute user logoff time-out capability (session will be terminated no matter what after a number of designated minutes/seconds have elapsed).
Ability to lock and unlock a particular session or all sessions. When a session is locked, it is immediately not available for use.
User to session verification using IP address and browser information.
Security level (code) clearance for each session/web page.
Encrypt/decrypt as desired each session field.
Encrypt/decrypt an extra session field to compare against original (to detect against possible tampering).
Encrypt/decrypt the whole session data in the table (essentially obscuring session variable names in table). Can be used in combination with per session field encryption, resulting in double encryption security.
A new encryption Initialization Vector is created every time values change.
Ability to manually delete a particular session or all sessions.
The users IP address and web browser is recorded as part of the session for tracing information.


Other features:

Support for multiple language error and warning messages.
Support of a default language as well as current active language settings.
Basic or detailed (with SQL syntax) error/warning reporting.
Buffered error and warning messages.
Option for class to stop execution or not upon encountering an error/warning. Class can display errors/warnings automatically or control in your script.
Can select font color and size separately for error and warning messages.
Code has lots of comments and formatted within 82 characters wide.
Full documentation (only provided in English) is included.
Code use examples provided, including a basic authentication (login/logout) process.
SQL text file provided for creating the MySQL session table.


By : toplay

Ver 1.0.2 - Download the zip file to see the class and other supporting files.

This is a short introduction to the feature packed DB_eSession PHP class, which allows the storage and management of session data in a MySQL database rather than files (which is PHP's default). It is powerful, designed with security in mind, and easy to utilize. It's free under the GNU GPL.

Files included in this package:

class.DB_eSession.php - Main class file.
errors.DB_eSession.php - Error and warning definitions used by class.
config.DB_eSession.php - Optional configuration file used to pass parameters to class.
eSessions_table.sql - A text file containing the SQL to create the MySQL sessions table.
index.php - An example home page of an authentication process.
login.php - An example page used to login members.
emplogin.php - An example page used to login employees.
logout.php - An example page of logging out members.
members.php - An example page of members restricted area.
employees.php - An example page of employees restricted area.
guess.php - A number guessing game showing an example of the use of the class.
examples.php - View code to get an idea of how to invoke various member functions of the class.
monitor.php - Session table monitoring and maintenance page (helpful while testing your scripts).
manual.html - DB_eSession class manual in HTML.
license.html - The GPL in HTML.
readme.html - This brief instructions file.

Basic installation steps (for more details refer to the 'How to install' section of the manual):

Use phpMyAdmin or similar tool to create a MySQL database, username and password. If you already have these defined/setup then you can use those if you wish and can skip this step.
Use the SQL within the eSessions_table.sql file to create the sessions table (using phpMyAdmin).
Update config.DB_eSessions.php with the name of the local host, database, username, password, table name, and column names if they are different than the supplied defaults.
Install the class.DB_eSession.php, errors.DB_eSession.php, and config.DB_eSession.php in a folder on your web server (and make sure the files and folder have the correct permissions). Optionally, you can install the examples.php, guess.php, monitor.php, and the six login/logout example files to test the class with. Otherwise, you can just start writing your own script utilizing the new class.
Open up your web browser and type the URL to point to the example PHP file you wish to run. i.e. www.example.com/guess.php or www.example.com/auth/index.php (this is assuming that you created a directory called 'auth' and placed the six login/logut example files and the class related files in it).
The monitor.php file allows you to view every row in the sessions table, lock/unlock, and delete sessions. It is intended as an aid while developing your scripts. Although it is useful for web masters to monitor session traffic, it is not recommend to place in a public directory (in a production ready site). If you still intend to use it in a public directory, then protect the page (like with a username and password) from easy access. If you're using an Apache server, you can protect the page by setting a .htaccess file. Also, read the Apache authentication information page.

Don't forget to read the DB_eSession class manual.


Click to Download File

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

More User Management Code Articles
More By Codewalkers

 

developerWorks - FREE Tools!

Be the first to hear about i5/OS V6R1! Hold your calendar on January 30, 2008 for this free webcast on the new i5/OS. Rational's Enterprise Modernization products will be discussed at this webcast as they help to drive the application development environment for this new System i OS. <br />And learn how i5/OS will take you to the next step of efficient, resilient business processing. You will hear about the new i5/OS capabilities as it will be the most significant i5/OS release in years. If you cannot join the webcast on 1/30/08 you can still use this link to listen to the replay.<br /> FREE! Go There Now!

NEW! Driving Business Success with Rational Process Library Join this webcast, to learn how the Rational Process Library can help with compliance issues, drive process improvement, and assist in service-oriented architecture (SOA) or Agile development. We will take a peek into the Rational Process Library with content around software and systems engineering (including RUP), operations and systems management, program and portfolio management, and asset and SOA governance. FREE! Go There Now!

NEW! Application Development Tools for the Mainframe Developer You probably have thousands of lines of COBOL code loaded with business intelligence and being used to run your business, along with an army of developers maintaining these applications. Learn how to prepare your applications and developers so you can keep that competitive edge and move to a service-oriented architecture with the IBM Rational Enterprise Modernization solutions. Replay is available for 9 months. FREE! Go There Now!

NEW! Download DB2 9.5 for Linux, Unix, and Windows Download a free trial version of IBM DB2 9.5 for Linux, UNIX, and Windows. DB2 9 is the result of a five-year development project that transformed traditional (static) database technology into an interactive data server that merges the high performance and ease of use of DB2 with the self-describing benefits of XML. FREE! Go There Now!

NEW! Evaluate IBM Lotus Sametime Standard V8.0 Visit IBM developerWorks to download a free trial of the latest release of IBM Lotus Sametime Standard V8.0. Lotus Sametime Standard V8.0 is a platform for unified communications and collaboration that combines security features with an extensible, open solution including integrated Voice over IP, geographic location awareness, mobile clients, and a robust Business Partner community offering telephony and video integration. FREE! Go There Now!

NEW! Info 2.0: Harnessing the power of Web 2.0 and Enterprise Mashups Listen to this webcast to get an overview of Info 2.0 and a technical demo of how to quickly build an enterprise mashup. IBM's Info 2.0 technology leverages emerging Web 2.0 technologies such as mashups, feeds, AJAX, and JSON in order to simplify assembly of information using feeds and services. Come learn about the technical elements of Info 2.0 including the Feed Generation framework, Mashup Engine, and mashup assembly components. Learn how to pull information from databases, departmental information, and the Web to create mashups critical to your company’s success. We will also discuss best practices to help you get started. FREE! Go There Now!

NEW! Push RSS to new limits This tutorial presents an innovative use of the well-known Really Simple Syndication (RSS) format's associative properties to emulate the functionality of a simple relational database. It demonstrates using RSS channels to store contact information and meeting information -- much as a personal address book and calendar does. It uses RSS elements and attributes such as items and guids to create a neural-network-like mesh of related data. FREE! Go There Now!

NEW! Using the Eclipse SOA Tools Platform plug-in and Apache Tuscany The Eclipse SOA Tools Platform (STP) plug-in and Apache Tuscany simplifies services development through the use of the popular Eclipse development environment. Apache Tuscany has also been integrated with the STP to provide a Service Component Architecture (SCA) Java run time for the services you create, allowing you to annotate your service using the SCA standard and Apache Tuscany annotations. In this tutorial, you will see STP and Apache Tuscany in action, through the creation of a Remote Method Invocation (RMI) service. FREE! Go There Now!

NEW! Webcast: Calling All Testers! Find Application Vulnerabilities Early in the Development Process Where they are Easier to Fix and Less Risky to your Business In this webcast, IBM Rational will discuss the importance of Web application security and will share techniques and best practices to introduce application security testing into current QA processes including: understanding common security vulnerabilities and techniques to integrate security testing with defect tracking and remediation systems in an effort to safeguard sensitive online information. FREE! Go There Now!

NEW! Webcast: What is new in Viper 2 for developers? Viper 2 brings a great value to developer communities including SQL, XML, PHP, Ruby, .NET and Java. You probably already know that DB2 Express-C is free for developers to develop, deploy and distribute. Viper 2 provides a variety of means that help move your application from the development stage to deployment more rapidly. This webcast shows how to best utilize the latest tools available for developing DB2 applications. FREE! Go There Now!

All FREE IBM® developerWorks Tools!