[ Pobierz całość w formacie PDF ]
.As mentioned earlier, cookies cannot be written after headers have been sent to thebrowser.PHP will tell us whether that has happened through its headers_sentfunction.Aliro tries to ensure session data is written before output of XHTML starts,and the sending of headers is triggered but it is difficult to absolutely guarantee this.If it is too late, we simply abandon the session data.On a first or an isolated request,that is unlikely to do too much harm.All being well, the session data is encoded toavoid any problems with difficult characters, and written as a cookie.The expirytime is given as zero, which makes it a session cookie that is deleted automaticallywhen the browser is closed.There is no reason to preserve session data beyond theclosing down of the browser.If we have established that cookies are accepted and the database is available, thenwe are probably not handling a bot or a fresh installation.It should therefore bepossible and worthwhile to write the session data to the database, where there is amuch more generous limit on the amount of data that can be stored.If there is still atemporary session data cookie in existence from a previous request, it is deleted.Note that the session ID is escaped before being used in a SQL statement.Since itcomes from a cookie, there is always a risk of it being tampered with by a cracker, soto protect against SQL injection it is necessary to escape it before putting it into SQL.The session data is encoded so as to handle all kinds of special characters withoutproblems.Finally, the database operation is done.It is written as a single requestthat will either insert or update data according to the record already present for thecurrent session.Retrieving Session DataNow that we have figured out how to handle the write operations, reading back thedata is relatively simple:public function sess_read ($session_id){if (isset($_COOKIE['aliro_temp_session'])) returnbase64_decode($_COOKIE['aliro_temp_session']);[ 86 ]Chapter 4if (!isset($_COOKIE['aliroCookieCheck']) OR !isset($this->db))return '';$session_id = $this->db->getEscaped($session_id);$this->db->setQuery("SELECT session_data FROM #__session_dataWHERE session_id = '$session_id'");return base64_decode($this->db->loadResult());}If we wrote a temporary session data cookie and received it back again in the$_COOKIE super-global, then we know that cookies are working and that this mustbe a subsequent request.The data from the cookie is returned as the session data.Aswe now know that cookies are being accepted, we also know that when this request'ssession data is written, the temporary session data cookie will be deleted, so it is notnecessary to do so just yet.If we have not already obtained session data from a cookie, some more checks areneeded.If the check cookie is not available in $_COOKIE then we do not yet have aviable session.Likewise, if no database is available because installation is going on,then nothing more can be done.So, in both these cases null session data is returned.Provided all these hurdles are overcome, which they often will be the session ID isescaped and used to look up the session data from the database, decode it, and thenreturn it to the caller.Keeping Session Data TidyOur session data handler can be asked to delete a session, a process that followssimilar logic to the one just described:public function sess_destroy ($session_id){setcookie ('aliro_temp_session', null, time()-7*24*60*60, '/');if (!isset($_COOKIE['aliroCookieCheck']) OR !isset($this->db))return;$session_id = $this->db->getEscaped($session_id);$this->db->doSQL("DELETE FROM #__session_data WHERE session_id ='$session_id'");return true;}As you can see, deletion is simpler than reading, since the temporary session datacookie can be deleted regardless of whether it presently exists.Provided cookiesare accepted and the database is available, the relevant session data record can bedeleted.It does not matter if there is no such record, since SQL deletions simplydelete whatever matches the WHERE condition, and do not mind if nothing matches.[ 87 ]Sessions and UsersIn principle, keeping things tidy on the basis of expiration is a more complicatedtask.But here the session class can do nearly all of the work for us.The interface withPHP for a session data handler is required to implement a method to handle sessionexpiry, and is passed a timeout value in seconds.The method is as simple as:public function sess_gc ($timeout){$session = aliroSessionFactory::getSession();$session->purge($timeout);}All that happens is that we get the current session object and ask it to carry outa purge, passing the timeout.This relies on the session handler's ability to dealwith the timeout of sessions.The last thing the purge does is to call back to thesession data handler to remove any data that is no longer linked to a session
[ Pobierz całość w formacie PDF ]