1. 首頁
  2. 問答
  3. PHP - session_set_save_handler()的read()函數何時被調用?

PHP - session_set_save_handler()的read()函數何時被調用?

2014-02-13 17 views
1

我正在開發一個會話管理類,它涉及登錄和mySQL。 php文檔說當session_start()被調用時或會話自動啓動時調用read()方法。何時「自動啓動」? open()方法和read()之間的區別是什麼?PHP - session_set_save_handler()的read()函數何時被調用?

我有這個代碼片段,如果它有幫助,並想知道在哪裏session_start()屬於,或者它是好的地方。 (整個代碼沒有按照我想要的方式工作,每次重置會話,我不知道爲什麼。)

public function __construct($conn) { 
    $this->conn = $conn; 

    # Set up the handler 
    session_set_save_handler(
     array($this, '_session_open_method'), 
     array($this, '_session_close_method'), 
     array($this, '_session_read_method'), 
     array($this, '_session_write_method'), 
     array($this, '_session_destroy_method'), 
     array($this, '_session_gc_method') 
    ); 


    # Check the cookie passed - if one is - if it looks wrong we'll 
    # scrub it right away 
    $strUserAgent = $_SERVER["HTTP_USER_AGENT"]; 
    if (isset($_COOKIE["PHPSESSID"])) { 
     # Security and age check 
     $this -> php_session_id = $_COOKIE["PHPSESSID"]; 

     #$stmt = "select id from http_session where ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) < " . $strUserAgent .$this->session_lifespan . " seconds) AND user_agent='" . "' AND ((now() - last_impression) <= '".$this->session_timeout." seconds' OR last_impression IS NULL)"; 
     #$stmt = "SELECT id FROM http_session WHERE ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) < '" ./*$strUserAgent .*/$this->session_lifespan . "') AND user_agent = '" . $strUserAgent . "' AND ((now() - last_impression) <= '".$this->session_timeout . "' OR last_impression IS NULL)"; 
     $stmt = "SELECT id FROM http_session WHERE ascii_session_id = '" . $this->php_session_id . "' AND ((now() - created) < " ./*$strUserAgent .*/$this->session_lifespan . ") AND user_agent = '" . $strUserAgent . "' AND ((now() - last_impression) <= ".$this->session_timeout . " OR last_impression IS NULL)" 
     ; 
     //echo $stmt; 
     $result = $this -> conn -> query($stmt); 

     if (!$result -> fetchColumn()) { 
      # Set failed flag 
      $failed = 1; 
      # Delete from database - we do garbage cleanup at the same time 
      $maxlifetime = $this -> session_lifespan; 
      $result = $this -> conn -> query("DELETE FROM http_session WHERE (ascii_session_id = '" . $this -> php_session_id . "') OR (now() - created > '$maxlifetime seconds')"); 
      #print '<br/>'; 
      #var_dump($result->rowCount()); 
      # Clean up stray session variables 
      //$result = $this -> conn -> query("DELETE FROM session_variable WHERE session_id NOT IN (SELECT id FROM http_session)"); 
      # Get rid of this one... this will force PHP to give us another 
      unset($_COOKIE["PHPSESSID"]); 
     } 
    } 

    # Call the session_start method to get things started 
    # Set the life time for the cookie 
    session_set_cookie_params($this->session_lifespan); 
    session_start();   
}

提前致謝!
編輯:
是的,我知道一個SQL注入可以通過會話標識符,但現在不是我的重點。謝謝Loz!
此代碼實際上來自一本書,專業PHP6。

來源

2014-02-13 jasonszhao

+1

您知道可以將'$ _SERVER [「HTTP_USER_AGENT」]'設置爲sql注入值嗎? –

+0

確保在編寫自己的會話處理程序時考慮併發性。 – goat

+0

@rambo如何以及​​爲什麼如此?爲什麼? – jasonszhao

回答

1

php.ini配置中有一個名爲session.auto_start的密鑰,您可以將其設置爲1,以使您的會話在請求啓動時自動啓動。默認情況下,它被設置爲0.

另外open()方法在read()方法之前調用,第一個只有在會話啓動成功時才返回true,否則返回false。 read()方法必須始終返回會話編碼(序列化)的字符串。

來源

2014-02-13 05:25:53

+0

「請求啓動」的含義是什麼? – jasonszhao

+0

我認爲這是每次你向服務器發出請求時,如果你所有的請求都使用會話,你可以使用它,但是我認爲其他任何可能導致過載的東西 –

相關問題

 相關問題