first, connect to a database containing the sessions table
include the class
require 'path/to/Zebra_Session.php';
start the session
where $link is a connection link returned by mysqli_connect
$session = new Zebra_Session($link, 'sEcUr1tY_c0dE');
By default, the cookie used by PHP to propagate session data across multiple pages ('PHPSESSID') uses the
current top-level domain and subdomain in the cookie declaration.
Example: www.domain.com
This means that the session data is not available to other subdomains. Therefore, a session started on
www.domain.com will not be available on blog.domain.com. The solution is to change the domain PHP uses when it
sets the 'PHPSESSID' cookie by calling the line below *before* instantiating the Zebra_Session library.
takes the domain and removes the subdomain
blog.domain.com becoming .domain.com
ini_set(
'session.cookie_domain',
substr($_SERVER['SERVER_NAME'], strpos($_SERVER['SERVER_NAME'], '.'))
);
From now on whenever PHP sets the 'PHPSESSID' cookie, the cookie will be available to all subdomains! | public __construct ( resource &$link, string $security_code, integer $session_lifetime = '', boolean $lock_to_user_agent = true, boolean $lock_to_ip = false, integer $gc_probability = '', integer $gc_divisor = '', string $table_name = 'session_data', string $lock_timeout = 60 ) : void | ||
| $link | resource | An object representing the connection to a MySQL Server, as returned
by calling {@link http://www.php.net/manual/en/mysqli.construct.php mysqli_connect}.
If you use {@link http://stefangabos.ro/php-libraries/zebra-database/ Zebra_Database}
to connect to the database, you can get the connection to the MySQL server
via Zebra_Database's {@link http://stefangabos.ro/wp-content/docs/Zebra_Database/Zebra_Database/Zebra_Database.html#methodget_link get_link}
method.
@param string $security_code The value of this argument is appended to the string created by
concatenating the user's User Agent (browser) string (or an empty string
if "lock_to_user_agent" is FALSE) and to the user's IP address (or an
empty string if "lock_to_ip" is FALSE), before creating an MD5 hash out
of it and storing it in the database.
On each call this value will be generated again and compared to the
value stored in the database ensuring that the session is correctly linked
with the user who initiated the session thus preventing session hijacking.
To prevent session hijacking, make sure you choose a string around
12 characters long containing upper- and lowercase letters, as well as
digits. To simplify the process, use {@link https://www.random.org/passwords/?num=1&len=12&format=html&rnd=new this}
link to generate such a random string.
@param integer $session_lifetime (Optional) The number of seconds after which a session will be considered
as expired.
Expired sessions are cleaned up from the database whenever the garbage
collection routine is run. The probability of the garbage collection
routine to be executed is given by the values of $gc_probability
and $gc_divisor. See below.
Default is the value of session.gc_maxlifetime as set in in php.ini.
Read more at {@link http://www.php.net/manual/en/session.configuration.php}
To clear any confusions that may arise: in reality, session.gc_maxlifetime
does not represent a session's lifetime but the number of seconds after
which a session is seen as garbage and is deleted by the garbage
collection routine. The PHP setting that sets a session's lifetime is
session.cookie_lifetime and is usually set to "0" - indicating that
a session is active until the browser/browser tab is closed. When this class
is used, a session is active until the browser/browser tab is closed and/or
a session has been inactive for more than the number of seconds specified
by session.gc_maxlifetime.
To see the actual value of session.gc_maxlifetime for your
environment, use the {@link get_settings()} method.
Pass an empty string to keep default value.
@param boolean $lock_to_user_agent (Optional) Whether to restrict the session to the same User Agent (or
browser) as when the session was first opened.
The user agent check only adds minor security, since an attacker that
hijacks the session cookie will most likely have the same user agent.
In certain scenarios involving Internet Explorer, the browser will randomly
change the user agent string from one page to the next by automatically
switching into compatibility mode. So, on the first load you would have
something like:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; etc...
and reloading the page you would have
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; etc...
So, if the situation asks for this, change this value to FALSE.
Default is TRUE.
@param boolean $lock_to_ip (Optional) Whether to restrict the session to the same IP as when the
session was first opened.
Use this with caution as many users have dynamic IP addresses which may
change over time, or may come through proxies.
This is mostly useful if your know that all your users come from static IPs.
Default is FALSE.
@param integer $gc_probability (Optional) Used in conjunction with $gc_divisor. It defines the
probability that the garbage collection routine is started.
The probability is expressed by the formula:
$probability = $gc_probability / $gc_divisor;
So, if $gc_probability is 1 and $gc_divisor is 100, it means
that there is a 1% chance the the garbage collection routine will
be called on each request.
Default is the value of session.gc_probability as set in php.ini.
Read more at {@link http://www.php.net/manual/en/session.configuration.php}
To see the actual value of session.gc_probability for your
environment, and the computed probability, use the
{@link get_settings()} method.
Pass an empty string to keep default value.
@param integer $gc_divisor (Optional) Used in conjunction with $gc_probability. It defines the
probability that the garbage collection routine is started.
The probability is expressed by the formula:
$probability = $gc_probability / $gc_divisor;
So, if $gc_probability is 1 and $gc_divisor is 100, it means
that there is a 1% chance the the garbage collection routine will
be called on each request.
Default is the value of session.gc_divisor as set in php.ini.
Read more at {@link http://www.php.net/manual/en/session.configuration.php}
To see the actual value of session.gc_divisor for your
environment, and the computed probability, use the
{@link get_settings()} method.
Pass an empty string to keep default value.
@param string $table_name (Optional) Name of the MySQL table used by the class.
Default is session_data.
@param string $lock_timeout (Optional) The maximum amount of time (in seconds) for which a lock on
the session data can be kept.
This must be lower than the maximum execution time of the script!
Session locking is a way to ensure that data is correctly handled in a
scenario with multiple concurrent AJAX requests.
Read more about it at
{@link http://thwartedefforts.org/2006/11/11/race-conditions-with-ajax-and-php-sessions/}
Default is 60
@return void |
| $security_code | string | |
| $session_lifetime | integer | |
| $lock_to_user_agent | boolean | |
| $lock_to_ip | boolean | |
| $gc_probability | integer | |
| $gc_divisor | integer | |
| $table_name | string | |
| $lock_timeout | string | |
| Résultat | void | |
function __construct(&$link, $security_code, $session_lifetime = '', $lock_to_user_agent = true, $lock_to_ip = false, $gc_probability = '', $gc_divisor = '', $table_name = 'session_data', $lock_timeout = 60)
{
// store the connection link
$this->link = $link;
// continue if there is an active MySQL connection
if ($this->_mysql_ping()) {
// make sure session cookies never expire so that session lifetime
// will depend only on the value of $session_lifetime
ini_set('session.cookie_lifetime', 0);
// if $session_lifetime is specified and is an integer number
if ($session_lifetime != '' && is_integer($session_lifetime)) {
// set the new value
ini_set('session.gc_maxlifetime', (int) $session_lifetime);
}
// if $gc_probability is specified and is an integer number
if ($gc_probability != '' && is_integer($gc_probability)) {
// set the new value
ini_set('session.gc_probability', $gc_probability);
}
// if $gc_divisor is specified and is an integer number
if ($gc_divisor != '' && is_integer($gc_divisor)) {
// set the new value
ini_set('session.gc_divisor', $gc_divisor);
}
// get session lifetime
$this->session_lifetime = ini_get('session.gc_maxlifetime');
// we'll use this later on in order to try to prevent HTTP_USER_AGENT spoofing
$this->security_code = $security_code;
// some other defaults
$this->lock_to_user_agent = $lock_to_user_agent;
$this->lock_to_ip = $lock_to_ip;
// the table to be used by the class
$this->table_name = $table_name;
// the maximum amount of time (in seconds) for which a process can lock the session
$this->lock_timeout = $lock_timeout;
// register the new handler
session_set_save_handler(array(&$this, 'open'), array(&$this, 'close'), array(&$this, 'read'), array(&$this, 'write'), array(&$this, 'destroy'), array(&$this, 'gc'));
// start the session
session_start();
// the name for the session variable that will be created upon script execution
// and destroyed when instantiating this library, and which will hold information
// about flashdata session variables
$this->flashdata_varname = '_zebra_session_flashdata_ec3asbuiad';
// assume no flashdata
$this->flashdata = array();
// if there are any flashdata variables that need to be handled
if (isset($_SESSION[$this->flashdata_varname])) {
// store them
$this->flashdata = unserialize($_SESSION[$this->flashdata_varname]);
// and destroy the temporary session variable
unset($_SESSION[$this->flashdata_varname]);
}
// handle flashdata after script execution
register_shutdown_function(array($this, '_manage_flashdata'));
// if no MySQL connections could be found
// trigger a fatal error message and stop execution
} else {
trigger_error('Zebra_Session: No MySQL connection!', E_USER_ERROR);
}
}