Storing your session to database in php

I am developing a custom solutions for my projects. I was finding solution to secure my php applications. As security is top concerned when I develop my applications. I had to develop a solution for a shared hosting environment and found out that the session hijacking was a big problem while on shared server. The best solution was to store the session in some where secured place. I Researched about it and fund out that there was already a solution in php to do it. we could actually use session_set_save_handler() function to do it. And for the location to store session database was the suitable place. As database has it’s own authentication layer. So i decided to use it for my applications.

First create a databse table with following sql in you application datatbase:

CREATE TABLE IF NOT EXISTS `yourAppPrefix_sessions` (
`id` varchar(32) NOT NULL,
`access` int(10) unsigned default NULL,
`data` text,
PRIMARY KEY  (`id`)
) ENGINE=MyISAM;

Below i wil provide you the code to use it on your own application:

session_set_save_handler('_open',
'_close',
'_read',
'_write',
'_destroy',
'_clean');

function _open()
{
return true;
}

function _close()
{

return true;
}

function _read($id)
{

$id = mysql_real_escape_string($id);

$sql = "SELECT data
FROM   `[p]sessions`
WHERE  id = '$id'";

if ($result = mysql_query($sql))
{
if (mysql_num_rows($result))
{
$record = mysql_fetch_array($result);

return $record['data'];
}
}

return '';
}

function _write($id, $data)
{

$access = time();

$id = mysql_real_escape_string($id);
$access = mysql_real_escape_string($access);
$data = mysql_real_escape_string($data);

$sql = "REPLACE
INTO    `[p]sessions`
VALUES  ('$id', '$access', '$data')";

return mysql_query($sql);
}

function _destroy($id)
{

$id = mysql_real_escape_string($id);

$sql = "DELETE
FROM   `[p]sessions`
WHERE id = '$id'";

return mysql_query($sql);
}

function _clean($max)
{

$old = time() - $max;
$old = mysql_real_escape_string($old);

$sql = "DELETE
FROM   `[p]sessions`
WHERE  access < '$old'";

return mysql_query($sql);
}

Save the above code and name it session.php or anything you want.

After this where you want to use session in your application. just add following to start session:

//Store session to database
require_once("path_to/session.php");
session_start();

Also be sure you have already connected your database before the above code in your applicaiton as it uses database to store session.

Now after this is done you can use session as usual. This just changes the place where your session is stored i.e in database. Other things are as same as you would store session in the local machine. I hope it will make you clear about what I am talking about.

Comments

Leave a comment