iNamik Smart Session for PHP/MySQL - Trac

Wiki Navigation

Welcome to SmartSessions

SmartSession is a PHP program that intelligently manages user sessions.

Some key features

Session Data Is Stored In The Database

Storing the session data in the database allows you to host your website on multiple servers, with each server having access to the session data. The program attempts to lock the session, preventing multiple servers from accessing the session data simultaneously.

Cookie Refreshes Are Minimized

Personally, I HATE having session cookies refresh with every page hit. SmartSession allows you to configure how often cookies are refreshed.

For example, instead of refreshing the cookie 30 times per hour (i.e. every page hit) with a 24 hour TTL (time-to-live), a smart session might be configured to refresh the cookie only once per hour, with a 25 hour TTL.

The user still gets at least 24 hours before his session expires, but far fewer cookies are created.

Session ID Changes To Help Avoid "Session Fixation"

Whenever the refreshed, the session id is changed to help prevent 'session fixation'

Downloading and Configuring

Feel free to download the project if you'd like to have a look:

Download SmartSession v0.50.0

Dependencies

This project depends on the following:

MySQL Database Engine

PEAR - PHP Extension and Application Repository

MDB2 Database Abstraction Layer

MDB2_Driver_mysql MySQL adapter for MDB2

Even though the project was designed and coded for MySQL, the use of MDB2 implies that porting to other database engines may not be too difficult.

License

This project is currently released under the GPL v2.0 license, but I don't really know if that is the best license for this type of project.

To Do

Add 'user agent' check to help ensure session belongs to the user making the request.

Tighten up the configuration variables. If the cookie TTL is not set to "end of browser session", then there's no real compelling reason for it to be any different than the database TTL. So instead of being an 'int' variable, the cookie TTL should probably just be a boolean that specifies either "end of browser session" or "same as database ttl". At that point the variable should probably be called SESSION_TTL and the cookie TTL name should be changed some appropriate boolean name.

It might be more convenient to pass the database connection into the methods, or pass it into the static methods, but have a setConnection() for the instance.

_{Looking for the original Trac Welcome Page?}

Download in other formats:

Plain Text