Can anyone recommend a session wrapper class?

Lord_Yggdrasill

Well I've been searching through the internet trying to find a session wrapper class to use. What it basically does is to prevent direct usage of $_SESSION superglobals from script files (although the superglobals are still in action), and instead use the OOP way to access, change and clean session variables. An example is shown below:

Traditional Session way:

session_start();
$sid = session_id();
$_SESSION['name'] = 'value';
if(isset($_SESSION['name'])){
  // do something...
}
else{
  echo "Session expired".
}
unset($_SESSION['name']);
session_destroy();

The session wrapper class makes everything look neater and more professional:

$sess = new Session(); //The constructor checks if session already started or not
$sid = $sess->getid();
$sess->set("name", "value");
if(isset($sess->get("name"))){
  // do something
}
else{
  $sess->error("Session already expired...");
}
$sess->clean($sess->get("name"));
$sess->destroy();

I've come across this sample session wrapper class, it looks good but still is missing some functionality. Can anyone of you recommend a better session class? Or do you think this one is already good enough? Please help...
http://snipplr.com/view/326/

laserlight

Lord Yggdrasill wrote:
What it basically does is to prevent direct usage of $SESSION superglobals from script files (although the superglobals are still in action)

Hmm... is that actually possible? I expect that it would still be possible to use $SESSION directly, except that such code should not pass review if the session class is mandated.

Lord Yggdrasill wrote:
The session wrapper class makes everything look neater and more professional:

Not really. Essentially, session state is global state. A wrapper class thus just provides some syntactic sugar, yet the associative array aspect of $_SESSION is already pretty good syntactic sugar. Probably the really useful parts involve starting and destroying the session, but then wrapper functions for these could suffice.

Lord_Yggdrasill

Well theoretically you can encrypt session name and value by defining a method inside the session wrapper class, although I've never tested this myself. To me a session wrapper class makes the script look more clear and professional, I try not to using superglobals in main script files(non-library files) unless I dont have a choice. Since I am using PDO, I've also been searching for a way to use database object $db in class and function files without declaring it to be global. Its been unsuccessful so far, unfortunately.

laserlight

Lord Yggdrasill wrote:
Well theoretically you can encrypt session name and value by defining a method inside the session wrapper class, although I've never tested this myself.

I'll need to test it myself as I have never messed around with the session name, but I don't think that will prevent the use of $_SESSION.

Lord Yggdrasill wrote:
To me a session wrapper class makes the script look more clear and professional

Because you really find it clearer, or because you have the notion that "OOP" equates to "clear and professional"? 😉

In your example code using a (hypothetical?) session wrapper class, there really is not much difference compared to the "traditional session way": you're still checking for the session variable with isset rather than say, using a has method or just using the get method and then catching an exception. The clean method does not make sense since it should probably take a name rather than a value. It is not clear what does the error method do, whereas the echo is obvious. What happens if I create two Session objects in the same scope, and then interleave their use?

Lord Yggdrasill wrote:
Since I am using PDO, I've also been searching for a way to use database object $db in class and function files without declaring it to be global. Its been unsuccessful so far, unfortunately.

There may come a time where you may want to access more than one database simultaneously, so the database handle is not necessarily a singleton.

Lord_Yggdrasill

Oh, thats my mistake. Of course the session wrapper class should check if a session is set with a method instead of calling isset() on a returned value from get() method directly. A better code should look like this:

if($sess->exist("name")){
  // do something
}

But yeah, I agree that it technically does not make much difference other than making the code looks clear, professional and more readable. If there is a way to actually make better use of a session wrapper class so it does more useful jobs(rather than just convert array to object and traditional procedural code to OOP way), Id like to hear.

And the database I am using is not singleton at all. I can instantiate more database objects like $db2 and $db3 without a problem. In fact, I've done a simple forum integration with MyBB plugin, which instantiate another database object using the same class. The site and forum database objects handle queries from two databases, although at this point I have yet to introduce object interaction between these two.

Weedpacket

Lord Yggdrasill wrote:
Since I am using PDO, I've also been searching for a way to use database object $db in class and function files without declaring it to be global. Its been unsuccessful so far, unfortunately.

Objects that need database communications could be provided with the connection object (at instantiation, probably) which they keep in a private property. It doesn't get around the need for the connection object itself to be global (unless each object with a need to communicate with the database opens its own connection - yuck), but that's why the Singleton pattern exists.

Regarding $SESSION - I'm in agreement with laserlight: avoiding superglobals merely for the sake of avoiding superglobals seems masochistic, but that might be in part because I remember when PHP didn't have any session management facilities at all and I had to do the whole thing myself - I have some appreciation for what implementation issues are hidden behind the $SESSION interface. For sessions specifically (never mind $GLOBALS, $_ENV, and the other superglobals), I do see one potential benefit of wrapping it, and that is "lazy session_start" - the session is automatically started when and only when a call on session data is made.

But you can regard the session store as a database of name/value pairs, and a similar class framework could be erected. Note that there is already an OO interface to the session handler in the form of the [man]SessionHandlerInterface[/man]; by implementing that and registering the result the "session database connection singleton" would serve an analogous role as a PDO driver by being the session's interface between the user and its implementation.

But when you look on the session store as a database of name/value pairs then it also starts to look awfully like an associative array - and PHP has native support for associative arrays. Indeed, it even provides an [man]ArrayAccess[/man] interface so that objects can look like associative arrays.

laserlight

Lord Yggdrasill wrote:
But yeah, I agree that it technically does not make much difference other than making the code looks clear, professional and more readable.

Granted, this is subjective, but my point is that this lack of a real difference is precisely why the use of a wrapper would not provide any real advantage in clarity (and hence readability). However, if you are using a wrapper class with the idea of asserting greater control over the session interface so that you can be more resistant to an API or even a requirements change, then by all means, go ahead.

By the way, would you please stop throwing around the word "professional", especially when you are implying that code written in a procedural manner is less "professional"? Otherwise, I might suggest the use of say, Java instead of PHP to be more "professional" 😉

Lord Yggdrasill wrote:
If there is a way to actually make better use of a session wrapper class so it does more useful jobs(rather than just convert traditional procedural code to OOP way), Id like to hear.

Well, not only is a session typically a store with global state, it is also a very simple key/value store. No point turning the simple into something complicated when you don't need to.

But if you want to follow up on what I wrote in post #4, something useful is to throw an exception if an attempt is made to access a session variable that does not exist. This ensures that such an error cannot be casually ignored, and allows for certain code to be written in an "easier to ask for forgiveness than permission" manner.

Lord_Yggdrasill

I see what you mean, thanks. Id say throwing an exception is a good idea, I will see if I can design a class like that.

However, if you are using a wrapper class with the idea of asserting greater control over the session interface so that you can be more resistant to an API or even a requirements change, then by all means, go ahead.

I do have this idea in mind, even though at this moment I am still thinking about how a session wrapper can be more resistant to an API. Would you mind showing me an example? Its okay if you dont want to, I just want to make the session class better right from the beginning instead of having to go back and edit lots of things when problem emerges months later.

Weedpacket

My preferred approach is to have as little as possible in the interface (but no less). It is just preference on my part: I have a tendency to think of all the edge cases and want the all-singing all-dancing implementation from the start, so something that forces me to keep things at a realistic scale is A Good Thing.

Aggregation can add additional behaviour when needed: if I find myself aggregating the same things over and over I take it as a sign that they really should have been together in the first place, and I extend the original interface (it's much easier to extend an interface than cut one back). Furthermore, having something actually in use and working gives me a better feel for what it should do.

A random stab at my files throws up How to Design a Good API and Why It Matters (PDF of a slide presentation; it looks like the presentation itself is on YouTube).

Derokorian

Your link is missing the f part of the pdf extension. Add the f or click here for weed's link http://lcsd05.cs.tamu.edu/slides/keynote.pdf

NogDog

FWIW, here's something I came up with a couple years ago -- which of course means I'd probably do it totally differently now. 🙂

http://www.charles-reace.com/blog/2009/10/20/implementing-a-database-based-session-handler/

Lord_Yggdrasill

Well this is what I have for the session class so far. It is by no means to be completed yet and will need more work before I can use the class in practice. Please lemme know if I've done anything wrong, Id like to improve it as much as I can.

<?php

class Session{
  private $ssid;
  public $started = FALSE;
  private $initime;
  private $useragent;
  private $clientip;

  public function __construct(){
     session_start();
	 $this->started = TRUE;
	 $this->ssid = session_id();
	 $this->initime = time();
	 $this->useragent = $_SERVER['HTTP_USER_AGENT'];
	 $this->clientip = $_SERVER['REMOTE_ADDR'];
  }

  public function getid(){
     $this->validate();
     if(empty($this->ssid)) $this->error("Session already expired...");	
	 else return $this->ssid; 
  }

  public function exist($name){
     $this->validate();
     if(!empty($_SESSION[$name])) return TRUE;
	 else return FALSE;
  }

  public function fetch($name){
     $this->validate();
     if($this->exist($name)) return $_SESSION[$name];
     else $this->error("Cannot retrieve session var {$name}.");	 
  }

  public function assign($name, $value, $override = FALSE, $encrypt = FALSE){
     $this->validate();
     $value = ($encrypt == TRUE)?hash('sha512', $value):$value;
	 if(!empty($_SESSION[$name]) and $override == FALSE) $this->error("Cannot override session var {$name}.");	
	 else $_SESSION[$name] = $value;
  }

  public function delete($name){
     $this->validate();  

     if(!isset($_SESSION[$name])) $this->error("Cannot locate session var {$name}.");	 
	 else unset($_SESSION[$name]);
  }

  public function regen($name){
     $this->validate();
     $this->ssid = session_regenerate_id();
	 $this->initime = time();
  }

  private function validate(){
     if($this->useragent != $_SERVER['HTTP_USER_AGENT'] or $this->clientip != $_SERVER['REMOTE_ADDR']){ 
	    $this->destroy();
	    $this->error("User IP has changed...");
     }
     else return TRUE;	 
  }

  public function destroy(){
     $_SESSION = array();
     session_destroy();
  }

  private function error($message){
     throw new Exception($message);	 
  }  

}
?>

bradgrafelman

One problem I see is that you seem to care whether the user's IP has changed or not. Why is that?

In the old days, you could tell if you had visitors on AOL without even doing a reverse DNS lookup, because their IPs would often change from one request to the next due to the way AOL handled its proxy/cache gateways.

Same could be said for any corporation as well; if their load balancers decide that every other request should go out via a different egress route (and result in different external IPs being used), why do you consider that an 'error' ?

Lord_Yggdrasill

Well this is the first step to take to get rid of possible Session hijack hazard, of course I know it is not enough so I will be adding more security approaches to eliminate risk of session hijack before putting this class into use.