I have integrated WHMCS and Drupal. However, when you go to Drupal and you print_r the SESSION, you see completely different information than what you would do if you go to the WHMCS pages. So, my question is, how do I access the one's session, from the other one?
I need to access it, in order to see if the user is logged in or not.
The values you'll get depend on the session.name directive in php.ini. If you want them to be able to read each others', then set the same session.name.
Or rather, session data will be loaded based on the identifier in the cookie with the same name as session.name. This defaults to PHPSESSID, but you can change it yourself.
You can set this at runtime using ini_set() or session_name().
Drupal register its own session handling functions through session_set_save_handler() during bootstrap (drupal_bootstrap()). It also sets it own session mame in conf_init().
Because of the Drupal's handlers, restoring the WHMCS' session name before using standard PHP session will not work. PHP will use Drupal's hanlder to open, read, write, etc. session information. All you will get is the data for a wrong Drupal's session returned from sess_read() when called by PHP.
One way to read WHMCS' session is to figure out how it is stored and to access it without using PHP's sessions functions.
Another way may be to undo what Drupal has done (changing session name and registering handlers) to restore default behaviors of PHP's session functions, read the WHMCS' session and restore Drupal's session name and handlers.
Related
I am struggling to find info on PHP's session_set_cookie_params() affect on sessions that are being stored in a database. Have searched SO and google and referred to the manual, but no luck.
1) Is this function still used in exactly the same way as when using the default file storage for sessions?
2) A more generic session question then (file based approach) - when a session expires, is it deleted from the file system, or does that take place with the auto 'garbage collection', the probability of which is set in php.ini?
3) How is the first parameter (session lifetime) handled when using a database to store the session data? Because without a custom function/method, deletion from the database is not possible. Or does the session expire in the same way as file approach, but the garbage collection needs to be handled with a custom function?
I'm using the following article as a go-to at the moment;
How to save PHP sessions to a database
Thanks in advance.
1) This function configures the cookie that php sends to the client so it works as expected. The session_set_cookie_params() function only applies if you use the default PHP session implementation which stores session data on the disk in the folder defined by session.save_path
2) When using php's session implementation garbage collection happens automatically based on the session.gb_* ini settings. Each time a session is started there is a probability that the garbage collector is ran which will clean up all data from expired sessions.
3) You'll need to implement your own garbage collection routines if you use database storage for your sessions. You can use the probability ini settings to determine when to run garbage collection (see gb_probability and gb_divisor). Garbage collection is performed right after starting the session in most cases. That's when you should see if it should run, and if it runs query your database and remove all stale records. This assumes you also store expiration data with your records so you can actually evaluate if the record is stale or not.
That being said, don't reinvent the wheel and use one of the many Session libraries that already implement custom save handlers.
http://framework.zend.com/manual/current/en/modules/zend.session.save-handler.html
http://symfony.com/doc/current/components/http_foundation/session_configuration.html
I understand, how to manage user authorization using Yii built-in mechanism, but its unclear for me where is stores sessions.
I don't see any new tables in my database, but login persists, which means there is a persistent storage on a server-side to match user cookie to a userId.
Don't like anything happening without me knowing how it is done, especially when talking about security related issues. Could anyone please explain where Yii stores sessions and how to configure it.
As i know, the session is normaly stored into files. You can set the path in the php.ini file under session.save_path.
if you want to get your save path, you can use var_dump(session_save_path());
Normaly, you can access the session data with Yii::app()->session
If you want to store sessions in the database, look at this
i am trying to communicate with Memcache as a session handler for Joomla. Following the PHP docs bottom example i have registered memcache a session handler. As soon as a user loads the Joomla site its session id together with other user data is stored into the Joomla database. But now i don't know how to get hands on Memcache to read the serialized session data like can be done with XCache using xcache_get($sessionid) As soon as i create a new Memcache instance as can be seen in the docs top example the session entry is removed from the database. But the session yet exists. This is quite confusing to me. I required to access (read/write) the serialized user session. How can i fetch/set it from the PHP session handler?
I believe the equivalent you are looking for is something like this:
Getting the session:
$session = $memcache->get($sessionId);
Setting the session:
$memcache->set(
'sessionprefix:'.$sessionId, // the session id.
$session, // the actual session itself
false, // set to true to use compression
$expire, // expiration in second
);
I have not used memcache very much but I have read that people usually use a prefix in the key to separate the different types of objects (this is also a common practice with redis, a similar data store). I have used 'sessionprefix:' here but I am sure Joomla has their own specific prefix.
does any body have any info/links as to how to integrate a cookie based session system? i've used file/mysql, and am currently using memcached. i wanted to play with apc sessions, but thought i'd give a go at cookies, only i don't know much about it.
i imagine i'd have to write my own session handler class?
In PHP session data is usually stored in a file. The only thing stored in the cookie is a session identifier. When sessions are enabled and a valid session cookie is found, PHP loads the users session data from the file into a super global called funnily enough SESSION.
Basic sessions are started using session_start(); called before any text is sent to the browser. then items are added to or removed from the session object using simple array indexing eg.
$_SESSION['favcolour'] = 'blue';
later...
$favcolour = $_SESSION['favcolour'];
basic cookie only sessions (no local storage) can be created with a call to
set_cookie('favcolour','blue'[,other params]);
before any text is sent to the browser, then retrieved from the cookie superglobal
$favcolour = $_COOKIE['favcolour'];
you don't need to call session_start() if doing cookie only sessions.
the optional [,other params] are more advanced and can be read about here http://www.php.net/manual/en/function.setcookie.php
Sessions can become a very complex discussion, I'd suggest doing some light work in them and then expand your knowledge.
DC
all you ever wanted to know about PHP sessions
http://www.php.net/manual/en/book.session.php
DC
To reuse PHP's session handling code you will need to add a write handler using session_set_save_handler and then do exactly nothing in that handler. That's because its called after the output to the browser is closed therefore you cannot send anything to the browser.
Before writing non header data to the browser use the set_cookie functions and store the contents of the $_SESSION array (after serialising and encrypting) into a cookie. when the applications start you can read the cookie unserialise it and put it into the $_SESSION array.
That's a quick hint at what to do as I have never done it, I prefer to write all my own cookie code. There may be some gotcha's but its not hard a few tests should find any gotcha's.
DC
I have an API that is dependent on certain state information between requests. As an easy first version of the code, I am simply using PHP session's to store the state information instead of something more advanced (APC, memcache, DB). Throughout my initial testing in a web browser, everything worked perfectly. However, it seems that when clients try to connect through non-browser methods such as Curl or wget, the state information is not being preserved.
Will a PHP session only be created if a browser is requesting the page? I am explicitly starting the session with session_start() as well as naming it before hand with session_name().
An added note. I learned that one of the major problems I was having was that I was naming the session instead of setting the session id via session_id($id); My intention in using session_name() was to retrieve the same session that was previously created, and the correct way to do this is by setting the session_id not the session_name.
It seems that session information will be persisted on the server as noted below (THANK YOU). But to keep this you must pass the session id, or, as in my case, any other id that would uniquely identify the user. Use this id as the session_id and your sessions will function as expected.
Session Cookies
Remember that HTTP is stateless, so sessions are tracked on your server, but the client has to identify itself with each request. When you declare session_start(), your browser is usually setting a cookie (the "PHP Session Id"), and then identifying itself by sending the cookie value with each request. When a script is called using a request with a session value, then the session_start() function will try to look up the session. To prove this to yourself, notice that sessions die when you clear your cookies.. many will die even as soon as you quit the browser, if the cookie is a "session" cookie (a temporary one). You mentioned that you're naming the session.. take a look in your browser cookies and see if you can find a cookie with the same name.
All of this is to say that cookies are playing an active role in your sessions, so if the client doesn't support cookies, then you can't do a session the way you're currently doing it.. at least not for those alternative clients. A session will be created on the server; the question is whether or not the client is participating.
If cookies aren't an option for your client, you're going to have to find another way to pass a session id to the server. This can be done in the query string, for example, although it's a considered a bit less private to send a session id in this way.
mysite.com?PHPSESSID=10alksdjfq9e
How do to this specifically may vary with your version of PHP, but it's basically just a configuration. If the proper runtime options are set, PHP will transparently add the session id as a query parameter to links on the page (same-source only, of course). You can find the specifics for setting that up on the PHP website.
Sidenote: Years ago, this was a common problem when attempting to implement a session. Cookies were newer and many people were turning off the cookie support in their browsers because of purported security concerns.
Sidenote: #Uberfuzzy makes a good point- Using sessions with curl or wget is actually possible. The problem is that it's less automatic. A user might dump header values into a file and use the values on future requests. curl has some "cookie awareness" flags, which allow you to handle this more easily, but you still must explicitly do it. Then again, you could use this to your advantage. If curl is available on your alternative client, then you can plausibly make the call yourself, using the cookie awareness flags. Refer to the curl manual.
If you call session_start(), then a session will be created if the client isn't in an existing one. If the client doesn't support (or is configured to ignore) the cookies or querystring mechanism used to maintain the session, a new session will be created on every request.
This may bloat your session storage mechanism with unused sessions.
It might be a better idea to only call session_start() when you have something to store in the session (e.g. user login, or something else that robots aren't likely to do), if you feel this is likely to be a problem.
Will a PHP session only be created if a browser is requesting the page?
Short answer: Yes. Sessions were created specifically to solve the HTTP stateless problem by leveraging browser features. APC, memcached, DB, etc. don't matter. Those are just storage methods for the session, and will suffer from the same problem.
Longer answer: The concept of sessions were created to account for the fact that HTTP is a stateless protocol, and it turns out that state's pretty important for a wide variety of software applications.
The most common way of implementing sessions is with cookies. PHP sends the session ID in a cookie, and the browser sends the cookie with the session ID back. This ID is used on the server to find whatever information you've stored in the session. PHP has the capacity to include and read a session ID at the end of a URLs, but this assumes that users will navigate to pages on your site/application by clicking links that include a generated session ID.
In your specific case, it is possible to use cookies with curl (and possibly wget). Curl is a web browser, just one without a GUI. If it's the command line curl program you're using (as opposed to the C library, PHP extension,etc.) read up on the following options
-b/--cookie
-c/--cookie-jar
-j/--junk-session-cookies