Figure 5-10: How database-based sessions persist in Web server farms. Listing 5-12 shows libsession_handler.php which implements all these functions. Listing 5-12: lib.session_handler.php <?php error_reporting(E_ALL); require_once(‘constants.php’); require_once(‘class.DBI.php’); require_once ‘DB.php’; $DB_URL = “mysql://root:foobar@localhost:/sessions”; $dbi = new DBI($DB_URL); Continued Web Server 1 Web Server 2 Load Balancer Request for application X Session Database Server Old Session File New Session File User request for application X Web Server 3 Web Server n Request 2 for application X User request for application X Chapter 5: Central Authentication System 151 08 549669 ch05.qxd 4/4/03 9:24 AM Page 151 Listing 5-12 (Continued) $SESS_LIFE = get_cfg_var(“session.gc_maxlifetime”); function sess_open($save_path, $session_name) { return true; } function sess_close() { return true; } function sess_read($key) { global $dbi, $DEBUG, $SESS_LIFE; $statement = “SELECT value FROM sessions WHERE “ . “sesskey = ‘$key’ AND expiry > “ . time(); $result = $dbi->query($statement); $row = $result->fetchRow(); if ($row) { return $row->value; } return false; } function sess_write($key, $val) { global $dbi, $SESS_LIFE; $expiry = time() + $SESS_LIFE; $value = addslashes($val); $statement = “INSERT INTO sessions “. “VALUES (‘$key’, $expiry, ‘$value’)”; $result = $dbi->query($statement); if (! $result) { $statement = “UPDATE sessions SET “ . “ expiry = $expiry, value = ‘$value’ “ . “ WHERE sesskey = ‘$key’ AND expiry > “ . time(); $result = $dbi->query($statement); } 152 Part II: Developing Intranet Solutions 08 549669 ch05.qxd 4/4/03 9:24 AM Page 152 return $result; } function sess_destroy($key) { global $dbi; $statement = “DELETE FROM sessions WHERE sesskey = ‘$key’”; $result = $dbi->query($statement); return $result; } function sess_gc($maxlifetime) { global $dbi; $statement = “DELETE FROM sessions WHERE expiry < “ . time(); $qid = $dbi->query($statement); return 1; } session_set_save_handler( “sess_open”, “sess_close”, “sess_read”, “sess_write”, “sess_destroy”, “sess_gc”); ?> Here the sess_open(), sess_close(), sess_read(), sess_destory(), and sess_gc() methods use a DBI object from our class.DBI.php class to implement database-based session management. To implement this database-based session management in our framework, we need to do the following: 1. Place the lib.session_handler.php in the framework directory. For example, if you’re keeping the class.PHPApplication.php in the /usr/php/framework directory, then you should put the lib.session_handler.php in the same directory. 2. Create a database called sessions using mysqladmin command such as mysqladmin -u root -p create sessions. You will need to know the username (here root) and password that is allowed to create databases. Next create a table called sessions using the sessions.ddl script with the mysql -u root -p -D sessions < sessions.sql command. Here’s the sessions.sql: Chapter 5: Central Authentication System 153 08 549669 ch05.qxd 4/4/03 9:24 AM Page 153 CREATE TABLE sessions ( sesskey varchar(32) NOT NULL default ‘’, expiry int(11) NOT NULL default ‘0’, value text NOT NULL, PRIMARY KEY (sesskey) ) TYPE=MyISAM; 3. Modify the following line in lib.session_handler.php to reflect your user name, password, and database host name: $DB_URL = “mysql://root:foobar@localhost:/sessions”; Here user name is root, password is foobar, and database host is local- host . You should change them if they’re different for your system. 4. Add the following line at the beginning of the class.PHPApplication.php file. require_once ‘lib.session_handler.php’; After you’ve completed these steps, you can run your login application and see that sessions are being created in the sessions table in the sessions database. To view sessions in your sessions database, run mysql -u root -p -D sessions. When you’re logged into the sessions database, you can view sessions using queries such as the following: mysql> select * from sessions; + + + + | sesskey | expiry | value | + + + + | 3b6c2ce7ba37aa61a161faafbf8c24c7 | 1021365812 | SESSION_ATTEMPTS|i:3; | + + + + 1 row in set (0.00 sec) After a successful login: mysql> select * from sessions; + + + -+ | sesskey | expiry | value | + + + -+ | 3b6c2ce7ba37aa61a161faafbf8c24c7 | 1021365820 | SESSION_ATTEMPTS|i:3;SESSION_USERNAME|s:15:”joe@evoknow.com”; | + + + -+ 154 Part II: Developing Intranet Solutions 08 549669 ch05.qxd 4/4/03 9:24 AM Page 154 1 row in set (0.00 sec) After logging out: mysql> select * from sessions; Empty set (0.00 sec) You can see that the session is started after login.php and the session is removed once the user runs logout.php. Summary In this chapter you learned about a central authentication system which involves a login and logout application and a central authentication database. All PHP appli- cations in your intranet or Web can use this central authentication facility. When an application is called directly by entering the URL in the Web browser, it can check for the existence of a session for the user and if an existing session is found, she is allowed access or else she is redirected to the login form. The logout applica- tion can be linked from any PHP application to allow the user log out at any time. Once logged out the session is removed. Having a central authentication system such as this helps you reduce the amount of code and maintenance you need to do for creating a seamless authentication process throughout your entire Web or intranet environment. Chapter 5: Central Authentication System 155 08 549669 ch05.qxd 4/4/03 9:24 AM Page 155 . libsession_handler .php which implements all these functions. Listing 5-12: lib.session_handler .php < ?php error_reporting(E_ALL); require_once(‘constants .php ); require_once(‘class.DBI .php ); require_once. lib.session_handler .php in the framework directory. For example, if you’re keeping the class.PHPApplication .php in the /usr /php/ framework directory, then you should put the lib.session_handler .php in the. your system. 4. Add the following line at the beginning of the class.PHPApplication .php file. require_once ‘lib.session_handler .php ; After you’ve completed these steps, you can run your login application