• Stars
    star
    169
  • Rank 224,453 (Top 5 %)
  • Language
    PHP
  • License
    Other
  • Created over 11 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A drop-in replacement for PHP's default session handler which stores session data in a MySQL database, providing better performance, better security and protection against session fixation and session hijacking

zebrajs

Zebra Session Β Tweet

A drop-in replacement for PHP's default session handler which stores session data in a MySQL database, providing better performance, better security and protection against session fixation and session hijacking

Latest Stable Version Total Downloads Monthly Downloads Daily Downloads License

Session support in PHP consists of a way to preserve information (variables) on subsequent accesses to a website's pages. Unlike cookies, variables are not stored on the user's computer. Instead, only a session identifier is stored in a cookie on the visitor's computer, which is matched up with the actual session data kept on the server, and made available to us through the $_SESSION super-global. Session data is retrieved as soon as we open a session, usually at the beginning of each page.

By default, session data is stored on the server in flat files, separate for each session. The problem with this scenario is that performance degrades proportionally with the number of session files existing in the session directory (depending on the server's operating system's ability to handle directories with numerous files). Another issue is that session files are usually stored in a location that is world readable posing a security concern on shared hosting.

This is where Zebra Session comes in handy - a PHP library that acts as a drop-in replacement for PHP's default session handler, but instead of storing session data in flat files it stores them in a MySQL database, providing better security and better performance.

Zebra Session is also a solution for applications that are scaled across multiple web servers (using a load balancer or a round-robin DNS) where the user's session data needs to be available. Storing sessions in a database makes them available to all of the servers!

Supports "flash data" - session variables which will only be available for the next server request, and which will be automatically deleted afterwards. Typically used for informational or status messages (for example: "data has been successfully updated").

This class is was inspired by John Herren's code from the Trick out your session handler article (now only available on the Internet Archive) and Chris Shiflett's code from his book Essential PHP Security, chapter 8, Shared Hosting, Pg. 78-80.

Zebra Session's code is heavily commented and generates no warnings/errors/notices when PHP's error reporting level is set to E_ALL.

Starting with version 2.0, Zebra Session implements row locks, ensuring that data is correctly handled in a scenario with multiple concurrent AJAX requests.

Citing from Race Conditions with Ajax and PHP Sessions, a great article by Andy Bakun:

When locking is not used, multiple requests (represented in these diagrams as processes P1, P2 and P3) access the session data without any consideration for the other processes and the state of the session data. The running time of the requests are indicated by the height of each process's colored area (the actual run times are unimportant, only the relative start times and durations).

Session access without locking

In the example above, no matter how P2 and P3 change the session data, the only changes that will be reflected in the session are those that P1 made because they were written last. When locking is used, the process can start up, request a lock on the session data before it reads it, and then get a consistent read of the session once it acquires exclusive access to it. In the following diagram, all reads occur after writes:

Session access without locking

The process execution is interleaved, but access to the session data is serialized. The process is waiting for the lock to be released during the period between when the process requests the session lock and when the session is read. This means that your session data will remain consistent, but it also means that while processes P2 and P3 are waiting for their turn to acquire the lock, nothing is happening. This may not be that important if all of the requests change or write to the session data, but if P2 just needs to read the session data (perhaps to get a login identifier), it is being held up for no reason.

So, in the end, this is not the best solution but still is better than nothing. The best solution is probably a per-variable locking. You can read a very detailed article about all this in Andy Bakun's article Race Conditions with Ajax and PHP Sessions.

Thanks to Michael Kliewe who brought this to my attention!

Features

  • acts as a wrapper for PHP's default session handling functions, but instead of storing session data in flat files it stores them in a MySQL database, providing better security and better performance

  • it is a drop-in and seamingless replacement for PHP's default session handler: PHP sessions will be used in the same way as prior to using the library; you don't need to change any existing code!

  • integrates seamlesly with PDO (if you are using PDO) but works perfectly without it

  • implements row locks, ensuring that data is correctly handled in scenarios with multiple concurrent AJAX requests

  • because session data is stored in a database, the library represents a solution for applications that are scaled across multiple web servers (using a load balancer or a round-robin DNS)

  • has awesome documentation

  • the code is heavily commented and generates no warnings/errors/notices when PHP's error reporting level is set to E_ALL

πŸ“” Documentation

Check out the awesome documentation!

πŸŽ‚ Support the development of this project

Your support means a lot and it keeps me motivated to keep working on open source projects.
If you like this project please ⭐ it by clicking on the star button at the top of the page.
If you are feeling generous, you can buy me a coffee by donating through PayPal, or you can become a sponsor.
Either way - Thank you! πŸŽ‰

Star it on GitHub Donate

Requirements

PHP 5.5.2+ with the mysqli extension activated, MySQL 4.1.22+

Installation

You can install via Composer

# get the latest stable release
composer require stefangabos/zebra_session

# get the latest commit
composer require stefangabos/zebra_session:dev-master

Or you can install it manually by downloading the latest version, unpacking it, and then including it in your project

require_once 'path/to/Zebra_Session.php';

Install MySQL table

Notice a directory called install containing a file named session_data.sql. This file contains the SQL code that will create a table that is used by the class to store session data. Import or execute the SQL code using your preferred MySQL manager (like phpMyAdmin or the fantastic Adminer) into a database of your choice.

How to use

Note that this class assumes that there is an active connection to a MySQL database and it does not attempt to create one!

<?php
// first, connect to a database containing the sessions table
// either by something similar to
//
// $link = mysqli_connect(host, username, password, database);
//
//  or by using PDO
//
//  try {
//      $link = new PDO(
//      'mysql:host=' . $host . ';dbname=' . $database . ';charset=utf8mb4', $username, $password, array(
//         PDO::ATTR_ERRMODE   =>  PDO::ERRMODE_EXCEPTION,
//     ));
// } catch (\PDOException $e) {
//     throw new \PDOException($e->getMessage(), (int)$e->getCode());
// }

// include the Zebra_Session class
// (you don't need this if you are using Composer)
require 'path/to/Zebra_Session.php';

// instantiate the class
// this also calls session_start()
$session = new Zebra_Session($link, 'sEcUr1tY_c0dE');

// from now on, use sessions as you would normally
// this is why it is called a "drop-in replacement" :)
$_SESSION['foo'] = 'bar';

// data is in the database!

More Repositories

1

world_countries

Constantly updated lists of world countries and their associated alpha-2, alpha-3 and numeric country codes as defined by the ISO 3166 standard, available in CSV, JSON , PHP, SQL and XML formats, in multiple languages and with national flags included; also available are the ISO 3166-2 codes of provinces/ states associated with the countries
PHP
1,391
star
2

Zebra_Datepicker

A super-lightweight, highly configurable, cross-browser date time picker jQuery plugin
JavaScript
401
star
3

Zebra_cURL

A high-performance solution for making HTTP requests from your PHP projects. It allows running of multiple requests concurrently, asynchronously, supports GET, POST, HEADER, PUT, PATCH, and DELETE requests, and offers support for caching, FTP downloads, HTTP authentication and proxy requests.
PHP
211
star
4

Zebra_Dialog

A small, compact, mobile-friendly and highly configurable jQuery plugin for creating gorgeous dialog boxes
JavaScript
155
star
5

Zebra_Image

A single-file lightweight PHP library designed for efficient image manipulation featuring methods for modifying images and applying filters
PHP
137
star
6

Zebra_Database

A compact, lightweight and feature-rich PHP MySQLi database wrapper
PHP
114
star
7

Zebra_Pagination

A generic, Twitter Bootstrap compatible, pagination library for automatically generating navigation links
PHP
113
star
8

Zebra_Form

A jQuery augmented PHP library for creating secure HTML forms and validating them easily
PHP
98
star
9

Zebra_Mptt

A PHP library providing an implementation of the modified preorder tree traversal (MPTT) algorithm
PHP
80
star
10

Zebra_Pin

A lightweight and adaptive jQuery plugin for creating sticky elements pinned to the page or to a container element
JavaScript
66
star
11

Zebra_Tooltips

A lightweight, accessible, and highly configurable jQuery plugin for creating beautiful tooltips
JavaScript
55
star
12

zebrajs

A modular, jQuery compatible, ultra light-weight JavaScript micro-library for modern browsers
JavaScript
32
star
13

Zebra_Accordion

A tiny (3KB minified, ~1.3KB gzipped), easily configurable, fully customizable, cross-browser jQuery accordion plugin
JavaScript
31
star
14

Zebra_TransForm

A tiny jQuery plugin for replacing and beautifying check boxes, radio buttons, and select boxes in IE7+
JavaScript
17
star
15

Zebra_Gomoku

A ridiculously small JavaScript gomoku AI implementation, as a jQuery plugin
JavaScript
17
star
16

Zebra_Cookie

A very lightweight JavaScript library for easy cookie management β€” set, read, and delete browser cookies effortlessly
JavaScript
17
star
17

Zebra_ClearInput

A tiny jQuery plugin for enhancing web forms by allowing users to easily clear values in text input boxes
JavaScript
5
star
18

Zebra_Cache

A file-based lightweight PHP caching library that uses file locking to ensure proper functionality under heavy load
PHP
1
star