PHP 8.3.4 Released!

Die Schnittstelle SessionHandlerInterface

(PHP 5 >= 5.4.0, PHP 7, PHP 8)

Einführung

SessionHandlerInterface ist eine Schnittstelle, die den minimalen Prototyp für die Erstellung einer benutzerdefinierten Sessionverwaltung definiert. Um eine benutzerdefinierte Sessionverwaltung an session_set_save_handler() zu übergeben, die ihren OOP-Aufruf verwendet, kann die Klasse diese Schnittstelle implementieren.

Es ist zu beachten, dass die Callback-Methoden dieser Klasse dazu gedacht sind, intern von PHP aufgerufen zu werden und nicht aus dem Anwenderprogramm aufgerufen werden sollen.

Interface-Übersicht

interface SessionHandlerInterface {
/* Methoden */
public close(): bool
public destroy(string $id): bool
public gc(int $max_lifetime): int|false
public open(string $path, string $name): bool
public read(string $id): string|false
public write(string $id, string $data): bool
}

Beispiel #1 Ein Beispiel mit SessionHandlerInterface

Das folgende Beispiel bietet eine dateibasierte Session-Speicherung ähnlich dem standardmäßigen PHP-Session-Speicherverwalter (PHP Session Standard Save Handler) files. Dieses Beispiel kann leicht erweitert werden, um die Speicherung in einer Datenbank mit der bevorzugten von PHP unterstützten Datenbank-Engine zu ermöglichen.

Zu beachten ist, dass wir den OOP-Prototyp zusammen mit session_set_save_handler() verwenden und die Shutdown-Funktion mit dem Parameter flag der Funktion registrieren. Dies wird im Allgemeinen empfohlen, wenn Objekte als Session-Speicherverwalter registriert werden.

Achtung

Der Kürze halber wird in diesem Beispiel auf eine Überprüfung der Eingaben verzichtet. Allerdings handelt es sich bei den $id-Parametern um vom Benutzer gelieferte Werte, die unbedingt überprüft und bereinigt werden müssen, um Schwachstellen, z. B. Path-Traversal-Probleme, zu vermeiden. Dieses Beispiel sollte daher nicht unverändert in Produktivumgebungen verwendet werden.

<?php
class MySessionHandler implements SessionHandlerInterface
{
private
$savePath;

public function
open($savePath, $sessionName): bool
{
$this->savePath = $savePath;
if (!
is_dir($this->savePath)) {
mkdir($this->savePath, 0777);
}

return
true;
}

public function
close(): bool
{
return
true;
}

#[
\ReturnTypeWillChange]
public function
read($id)
{
return (string)@
file_get_contents("$this->savePath/sess_$id");
}

public function
write($id, $data): bool
{
return
file_put_contents("$this->savePath/sess_$id", $data) === false ? false : true;
}

public function
destroy($id): bool
{
$file = "$this->savePath/sess_$id";
if (
file_exists($file)) {
unlink($file);
}

return
true;
}

#[
\ReturnTypeWillChange]
public function
gc($maxlifetime)
{
foreach (
glob("$this->savePath/sess_*") as $file) {
if (
filemtime($file) + $maxlifetime < time() && file_exists($file)) {
unlink($file);
}
}

return
true;
}
}

$handler = new MySessionHandler();
session_set_save_handler($handler, true);
session_start();

// Fortfahren mit dem Setzen und Abrufen von Werten anhand der
// Schlüssel von $_SESSION

Inhaltsverzeichnis

add a note

User Contributed Notes 8 notes

up
24
ohcc at 163 dot com
6 years ago
As of PHP 7.0, you can implement SessionUpdateTimestampHandlerInterface to
define your own session id validating method like validate_sid and the timestamp updating method like update_timestamp in the non-OOP prototype of session_set_save_handler().

SessionUpdateTimestampHandlerInterface is a new interface introduced in PHP 7.0, which has not been documented yet. It has two abstract methods: SessionUpdateTimestampHandlerInterface :: validateId($sessionId) and SessionUpdateTimestampHandlerInterface :: updateTimestamp($sessionId, $sessionData).

<?php
/*
@author Wu Xiancheng
Code structure for PHP 7.0+ only because SessionUpdateTimestampHandlerInterface is introduced in PHP 7.0
With this class you can validate php session id and update the timestamp of php session data
with the OOP prototype of session_set_save_handler() in PHP 7.0+
*/
class PHPSessionXHandler implements SessionHandlerInterface, SessionUpdateTimestampHandlerInterface {
public function
close(){
// return value should be true for success or false for failure
// ...
}
public function
destroy($sessionId){
// return value should be true for success or false for failure
// ...
}
public function
gc($maximumLifetime){
// return value should be true for success or false for failure
// ...
}
public function
open($sessionSavePath, $sessionName){
// return value should be true for success or false for failure
// ...
}
public function
read($sessionId){
// return value should be the session data or an empty string
// ...
}
public function
write($sessionId, $sessionData){
// return value should be true for success or false for failure
// ...
}
public function
create_sid(){
// available since PHP 5.5.1
// invoked internally when a new session id is needed
// no parameter is needed and return value should be the new session id created
// ...
}
public function
validateId($sessionId){
// implements SessionUpdateTimestampHandlerInterface::validateId()
// available since PHP 7.0
// return value should be true if the session id is valid otherwise false
// if false is returned a new session id will be generated by php internally
// ...
}
public function
updateTimestamp($sessionId, $sessionData){
// implements SessionUpdateTimestampHandlerInterface::validateId()
// available since PHP 7.0
// return value should be true for success or false for failure
// ...
}
}
?>
up
6
ohcc at 163 dot com
6 years ago
The non-OOP prototype of session_set_save_handler() supports validate_sid and update_timestamp as of PHP 7.0 while the OOP prototype doesn't even in PHP 7.2. However the OOP prototype does support create_sid since PHP 5.5.1.

validate_sid($sessionId)
This callback is to validate $sessionId. Its return value should be true for valid session id $sessionId or false for invalid session id $sessionId. If false is returned, a new session id is generated to replace the invalid session id $sessionId.

update_timestamp($sessionId)
This call back is to update timestamp, and its return value should be true for success or false for failure.
up
1
ohcc at 163 dot com
6 years ago
As of PHP 5.5.1, another method create_sid() is supported. It will be called when session_regenerate_id() is invoked.

SessionHandlerInterface {
/* Methods */
abstract public bool close ( void )
abstract public bool create_sid ( void )
abstract public bool destroy ( string $session_id )
abstract public bool gc ( int $maxlifetime )
abstract public bool open ( string $save_path , string $session_name )
abstract public string read ( string $session_id )
abstract public bool write ( string $session_id , string $session_data )
}
up
4
avenidagez at foro5 dot com
9 years ago
Note that session_start( ) calls open then read and the class returns true for open and the value of session or empty for read.
Well, then there is no catch for errors, this is, session_start() must return false on failure, but that is not the case for the class implementation on method open, no matter if you return true or false or whatever from open, it is ignored by session_start() function and proceeds to read method
A bug?, if open returns false, session_start() should stop the next step (read) and return itself false

if(session_start()) ...code
else exit( );

So forget about session_start() return value, you need to implement an error catch routine and exit() in case of failure on open method
up
5
warxcell at gmail dot com
11 years ago
You should prepend <b>\</b> before class name, to tell php its from root namespace.
up
2
tony at marston-home dot demon dot co dot uk
5 years ago
Your custom session handler should not contain calls to any of the session functions, such as session_name() or session_id(), as the relevant values are passed as arguments on various handler methods. Attempting to obtain values from alternative sources may not work as expected.
up
0
ohcc at 163 dot com
3 years ago
If you want to use type declarations in your own session handling class, don't "implements" the SessionHandlerInterface, SessionIdInterface, or SessinUpdateTimestampInterface, otherwise you will get a fatal error saying that declaration of the class method must be compatible with the interface method.

a bad example
<?php
class SessionWuXianchengHandler implements SessionHandlerInterface {
public function
open(string $sessionPath, string $sessionName) : bool {
}
......
}
?>

a good example
<?php
class SessionWuXianchengHandler {
public function
open(string $sessionPath, string $sessionName) : bool {
}
......
}
?>
up
-5
StanE
8 years ago
I think there is a small "error" in the example of the class MySessionHandler in method gc(). It uses the function filemtime() whose return value is cached by PHP. Add the following line inside the foreach block in the gc() method:

clearstatcache(true, $file);
To Top