Merge pull request #5 from ingenerator/add-mysql-session-handler

craig410 · web-flow · commit c5be0554d812 · 2018-08-16T13:14:51.000+01:00
Add MySQL session handler
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ### Unreleased
 
+### v0.1.5(2018-08-16)
+
+* Add MysqlSession session handler
+
 ### v0.1.4 (2018-04-30)
 
 * Add StrictDate::on_or_after for validating date >= date ignoring any time component
diff --git a/src/Session/MysqlSession.php b/src/Session/MysqlSession.php
@@ -0,0 +1,220 @@
+<?php
+/**
+ * @author    Craig Gosman <craig@ingenerator.com>
+ * @licence   proprietary
+ */
+
+
+namespace Ingenerator\PHPUtils\Session;
+
+
+use PDO;
+use SessionHandlerInterface;
+
+class MysqlSession implements SessionHandlerInterface
+{
+    /**
+     * @var PDO
+     */
+    protected $db;
+
+    /**
+     * @var string
+     */
+    protected $hash_salt;
+
+    /**
+     * @var int
+     */
+    protected $lock_timeout;
+
+    /**
+     * @var int
+     */
+    protected $session_lifetime;
+
+    /**
+     * @var string
+     */
+    protected $session_lock;
+
+    /**
+     * @param PDO    $db
+     * @param string $hash_salt
+     * @param int    $lock_timeout seconds to wait for MySQL lock
+     */
+    public function __construct(PDO $db, $hash_salt, $lock_timeout = 20)
+    {
+        $this->db               = $db;
+        $this->hash_salt        = $hash_salt;
+        $this->lock_timeout     = $lock_timeout;
+        $this->session_lifetime = ini_get('session.gc_maxlifetime');
+    }
+
+    /**
+     * @return void
+     */
+    public function initialise()
+    {
+        session_set_save_handler($this, TRUE);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function close()
+    {
+        return $this->releaseLock();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function destroy($id)
+    {
+        return $this->db->prepare("DELETE FROM `sessions` WHERE `id` = :id")
+            ->execute(['id' => $id]);
+    }
+
+    /**
+     * Garbage collects expired sessions based on current session.gc_maxlifetime
+     *
+     * @return int
+     */
+    public function garbageCollect()
+    {
+        return $this->gc($this->session_lifetime);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function gc($maxlifetime)
+    {
+        $now = new \DateTimeImmutable();
+        $gc  = $this->db->prepare("DELETE FROM `sessions` WHERE `last_active` < :expire");
+        $gc->execute(['expire' => $now->sub(new \DateInterval('PT'.$maxlifetime.'S'))->format('Y-m-d H:i:s')]);
+
+        return $gc->rowCount();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function open($save_path, $name)
+    {
+        return TRUE;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function read($id)
+    {
+        $now = new \DateTimeImmutable();
+
+        $this->getLock($id);
+
+        $query = $this->db->prepare(
+            "SELECT `session_data` FROM `sessions` WHERE `id` = :id AND `last_active` > :expire AND `hash` = :hash LIMIT 1"
+        );
+        $query->execute(
+            [
+                'id'     => $id,
+                'expire' => $now->sub(new \DateInterval('PT'.$this->session_lifetime.'S'))->format('Y-m-d H:i:s'),
+                'hash'   => $this->calculateHash(),
+            ]
+        );
+
+        if ($result = $query->fetchColumn(0)) {
+            return $result;
+        }
+
+        // on error return an empty string - this HAS to be an empty string
+        return '';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function write($id, $session_data)
+    {
+        $user_agent = '';
+        if (isset($_SERVER['HTTP_USER_AGENT'])) {
+            $user_agent = $_SERVER['HTTP_USER_AGENT'];
+        }
+
+        $ip = '';
+        if (isset($_SERVER['REMOTE_ADDR'])) {
+            $ip = $_SERVER['REMOTE_ADDR'];
+        }
+
+        return $this->db->prepare(
+            "INSERT INTO `sessions` (`id`, `hash`, `session_data`, `last_active`, `session_start`, `user_agent`, `ip`) 
+                          VALUES (:id, :hash, :data, :now, :now, :user_agent, :ip) 
+                          ON DUPLICATE KEY UPDATE session_data = :data, last_active = :now, user_agent = :user_agent, ip = :ip"
+        )->execute(
+            [
+                'id'         => $id,
+                'hash'       => $this->calculateHash(),
+                'data'       => $session_data,
+                'now'        => date('Y-m-d H:i:s'),
+                'user_agent' => $user_agent,
+                'ip'         => $ip,
+            ]
+        );
+    }
+
+    /**
+     * @return string
+     */
+    protected function calculateHash()
+    {
+        $hash = '';
+
+        if (isset($_SERVER['HTTP_USER_AGENT'])) {
+            $hash .= $_SERVER['HTTP_USER_AGENT'];
+        }
+
+        $hash .= $this->hash_salt;
+
+        return sha1($hash);
+    }
+
+    /**
+     * @param $id
+     *
+     * @return bool
+     * @throws \ErrorException
+     */
+    protected function getLock($id)
+    {
+        $this->session_lock = 'session_'.$id;
+
+        $query = $this->db->prepare("SELECT GET_LOCK(:session_lock, :timeout)");
+        $query->execute(['session_lock' => $this->session_lock, 'timeout' => $this->lock_timeout]);
+        $result = $query->fetchColumn(0);
+
+        if ($result != 1) {
+            throw new SessionLockNotObtainedException('Could not obtain session lock!');
+        }
+
+        return TRUE;
+    }
+
+    /**
+     * @return bool
+     */
+    protected function releaseLock()
+    {
+        $query = $this->db->prepare("SELECT RELEASE_LOCK(:session_lock)");
+        $query->execute(['session_lock' => $this->session_lock]);
+        $result = $query->fetchColumn(0);
+
+        if ($result == 1) {
+            return TRUE;
+        }
+
+        return FALSE;
+    }
+}
diff --git a/src/Session/README.md b/src/Session/README.md
@@ -0,0 +1,57 @@
+MySQL Session Handler
+=====================
+
+Setup
+-----
+
+```
+CREATE TABLE `sessions` (
+  `id` varchar(40) NOT NULL DEFAULT '',
+  `hash` varchar(40) NOT NULL DEFAULT '',
+  `session_data` blob NOT NULL,
+  `last_active` datetime NOT NULL,
+  `session_start` datetime NOT NULL,
+  `user_agent` varchar(255) DEFAULT NULL,
+  `ip` varchar(15) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+```
+
+Set session expiry using `session.gc_maxlifetime` in `php.ini`
+
+Usage
+-----
+
+Call `MysqlSession->initialise();` to set this as your session handler
+in your bootstrap.
+
+Garbage collection
+------------------
+
+PHP does probability based session GC by default. Using
+`session.gc_divisor` and `session.gc_probability` in `php.ini` to
+control the frequency
+
+Probability based GC works somewhat but it has few problems.
+1) Low traffic sites' session data may not be deleted within the
+preferred duration.
+2) High traffic sites' GC may be too frequent GC.
+3) GC is performed on the user's request and the user will experience a
+ GC delay.
+
+Therefore, it is recommended to execute GC periodically for production
+systems using cron. Make sure to disable probability based GC by
+setting `session.gc_probability = 0`.
+
+As you can only call [session_gc()](http://php.net/manual/en/function.session-gc.php)
+after you have called `session_start()` and you may not want / have a
+session handler for PHP CLI you can call `garbageCollect()` on
+`MySQLSession` to achieve the same effect without initialising a
+session first
+
+A sample cron would look something like:
+```
+$pdo             = new PDO("mysql:host=$servername;dbname=$db", $username, $password);
+$session_handler = new Ingenerator\PHPUtils\Session\MysqlSession($pdo, 'insecure-secret');
+echo $session_handler->garbageCollect()." sessions were garbage collected".PHP_EOL;
+```
diff --git a/src/Session/SessionLockNotObtainedException.php b/src/Session/SessionLockNotObtainedException.php
@@ -0,0 +1,13 @@
+<?php
+/**
+ * @author    Craig Gosman <craig@ingenerator.com>
+ * @licence   proprietary
+ */
+
+namespace Ingenerator\PHPUtils\Session;
+
+
+class SessionLockNotObtainedException extends \ErrorException
+{
+
+}
diff --git a/test/unit/Session/MysqlSessionTest.php b/test/unit/Session/MysqlSessionTest.php
@@ -0,0 +1,30 @@
+<?php
+/**
+ * @author    Craig Gosman <craig@ingenerator.com>
+ * @licence   proprietary
+ */
+
+namespace test\unit\Ingenerator\PHPUtils\Session;
+
+
+use Ingenerator\PHPUtils\Session\MysqlSession;
+use PHPUnit\Framework\TestCase;
+
+class MysqlSessionTest extends TestCase
+{
+
+    public function test_it_is_initialisable()
+    {
+        $this->assertInstanceOf(MysqlSession::class, $this->newSubject());
+    }
+
+    protected function newSubject()
+    {
+        return new MysqlSession(new PDOMock, 'insecure-salt');
+    }
+
+}
+
+class PDOMock extends \PDO {
+    public function __construct() {}
+}
