View Single Post
  #6 (permalink)  
Old July 30th, 2005, 10:54 AM
ncc ncc is offline
Registered User
 
Join Date: Jul 2005
Location: , , .
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

After much research on the session topic and the object provided by the book, I realize that several things are pretty unusable. They are as follows:

a) You will have to change several private functions as indicated by the book to public functions. This leads to the programmers into a much confused state.

b) Because the usersession class uses the session_set_save_handler function, only private variable such as native_session_id and session_id will be remembered throughout the entire session. Hence, it can be remembered in another page even a new Usersession instance is created there. This is because any variables assignment used in the session_read_method function (one of the the special functions utilised by session_set_save_handler) will be remembered throughout the session.

Other private variables such as logged_in will never be able to shared in other page when you declared the usersession object as a new instance. In the other word, any other functions not utilized by session_set_save_handler are considered a "stand-a-lone" function. When you declare a new instance of usersession class, you will realize that the values are only valid by each instance, not shared, which is not what you wish to have since usersession is supposed to be shared across other pages.

Research from php.net forum has shown that user authenizatication should not be used in the session_set_save_handler function, as explained by Robert Chapin. And my research shows likewise as variables cannot be transferred between pages.

My advise is to remove:
- function Login($strUserName, $strPlainPassword),
- function LogOut(),

Create another user class for login and authentication purposes.

For user "mlange"'s kind of problem, if you wish to share data between pages, consider the overloading method. As "mlange" has said that:

<QUOTE>
It is no use to try session_start(), as session is already started in the constructor, however, we need to pass $Session on to the next page. Of course this could be handled by posting $Session in the form as well, but that would be a bit ugly, as Sessions should not have to be posted along...
</QUOTE>

Consider this:

page1.php

$usersession = new usersession();
$login = new login($username, $userpwd);

if ($login->loginstatus == true)
{
   $usersession->LOGINSTATUS = TRUE;
   // Same statement: $_SESSION["LOGINSTATUS"] = TRUE;
   // But we used the OOP method instead with having
   // storing the session in our database, instead to a file

}
else
{ $usersession->LOGINSTATUS = FALSE;
    // Same statement: $_SESSION["LOGINSTATUS"] = TRUE;
    // But we used the OOP method instead with having
    // storing the session in our database, instead to a file
}

// Put some methods to go to page2.php
   :
   :
   :


page2.php
$usersession = new usersession();

//Check if the user has login:
// Same as: if ($_SESSION["LOGINSTATUS"] == TRUE)
if ($usersession->LOGINSTATUS == TRUE)
{
   echo "User has login";
}
ELSE
{
   echo "User failed to login";
}

c) I think the garbage collection method needs to improve on it on the construct. (Correct me if I am wrong ...) I think there is no requirement for us to place this statement:

if(isset($_COOKIE["PHPSESSID"]))

Also, I think the session_gc_method can be the function that stores all the necessary garbage collection.

Likewise, I think garbage collection should be imposed on Impress method first before you perform any query on the database to update the last_impression field. This is because the user may not have been active for a while and there is no way currently accessing the session class. This will enhance security.

Just my two cents worth of thoughts.

Ng Cher Choon