Re: [phpSecureSite-devel] Sessions?
Status: Alpha
Brought to you by:
egrinake
Menu
▾
▴
Re: [phpSecureSite-devel] Sessions?
|
From: Erik G. <er...@ch...> - 2002-01-02 17:38:10
|
On Wed, 2002-01-02 at 17:53, Woolhiser, Eric wrote: > OK, I gota ask, what do you think is wrong with using the session functio= ns? > If you are going to support sessions but not use the embedded functions, = it > sounds like you wish to re-invent the wheel here.=20 > Wouldn't phpSecureSite be more likely to thrive as an open source project= if > the code used the standard tool sets? Ah, glad you asked :) I'm gonna give a quite lengthy explanation of this in the docs, but I'll try to give a (somwehat) boiled-down explanation here; The main reason for not using the session()-family is because I find it to be lacking the flexibility I need for my apps - both with regard to security, and functionality. And underlying my reasoning for this is that I find that having a clean, consistent and smart database, and then writing dumb code for it, makes the system smaller, more expandable, cleaner and easier to understand. In fact, the whole reason for this project is that I found the session()-family to be lacking, and I'm therefore writing an alternative to php's session-handling system. Here are some of the reasons why I find the php built-in session handling to be insufficient : I want the whole system to be based on a database (as opposed to the server's memory), so it's possible to attach log entries to sessions, which in turn are attached to accounts. As the project progresses I might also be able to add tracking functionality, allowing the site admin to generate statistics based on session activity. I have already added support for IP checking, to prevent session hijacking. This requires that alot of the session data is already stored in a database, so I didn't see any reason not to base the whole system on databases, instead of using a merger of php's session()-family and my own system. I believe that sessions wasn't introduced to php before version 4, so those who use php3 should be able to get session-handling through my system (although this has not been verified). And I'm also quite the control-freak, and like to have close to absolute power over my scripts. :) To modify the way the php session system works, you need to modify the php C sources, while my system relies on rather low-level php functions, making it easier to modify. Of course this has its backsides. Since my system relies 100% on databases for data storage it will require a bit more resources and a fast i/o subsystem (depending on the number of concurrent users), but I think this is an acceptable tradeoff for the (coming) functionality and security. In addition, the php session system allows for session based on POST/GET vars and other methods of preserving data. This should not be a problem to include in phpSecureSite, but until then the system requires the use of cookies. If you, or anyone else, have any thoughs on this, please let me know. Suggestions are always more than welcome. --=20 Erik Grinaker UNIX/Linux systems consultant Elan IT Resource - www.elanit.no "Perfection is acheived not when there is nothing more to add, but rather when there is nothing more to take away" - Antoine de Saint-Exup=E9ry |
