[1.7 / 1.7.1] Session ID / Who's online list / Sessionsinformation in DB

[IcEcReaM]

So where to start?

As i understood, 4images 1.71 uses a new session system,
and the sessions table is not needed anymore to identify users,
cause sessionids are stored in users cookie or per sessionid in url.
But unfortunatly some functions like the who is online list needs the sessionstable,
to show up, whos online and on which location.

But after reporting from some users,
that they have some problems i discovered it too.

It happens if for example:
User opens browser -> has set cookie for automatic login -> new session entry in db is made
user doing for 20 minutes nothing, but leaves his browser open
so the 4image session system deletes the users session from db (because of the timeout)
user visit the gallery again
cause he has his old sessionid stored in cookie or url the 4 images gallery now try to update in db the users session entry,
but the sessionentry is already deleted, and the is no check, if the users session entry exists.

To fix this problem i have to solutions,
both are working and are secure,
but i would like to hear from vano or the other admins,
which way is faster.

German:
Kurze Übersetzung auf deutsch.
4images nutzt soweit ich weiss, seit Version 1.71 ein neues Session System,
und deswegen ist die Verifizierung von Usern über das Sessionsystem der DB nicht mehr vonnöten.
Allerdings nutzen einige Funktionen wie z.b. die Wer ist online Liste noch diese DB Eintrge.
Da die Session IDs per Cookie oder per URL an den User gegeben werden.
Leider ist es so, dass wenn z.B.
ein User auf die Seite kommt auf die Seite -> er bekommt eine Session ID zugewiesen
User macht 20 minuten nix
4images löscht die session id aus der DB (wegen User Timeout)
User kommt wieder auf die Seite zurück ohne das Browserfenster geschlossen zu haben
4images versucht in der DB den Eintrag des Users upzudaten.
Leider ist der DB Eintrag schon gelöscht worden, und es findet auch kein Check statt,
ob der Eintrag noch vorhanden ist.

File to edit:
includes/session.php

Way 1
Find

Code: [Select]

  function update_session() {
    global $site_db;


    $sql = "UPDATE ".SESSIONS_TABLE."
            SET session_lastaction = $this->current_time, session_location = '$this->user_location'
            WHERE session_id = '$this->session_id'";
    $site_db->query($sql);
And insert below

Code: [Select]

    /** Session Update Fix **/
    $foo = $site_db->affected_rows();

    if ($foo == 0) {      // old sesssion entry is already deleted
    $sql = "INSERT INTO ".SESSIONS_TABLE."
            (session_id, session_user_id, session_lastaction, session_location, session_ip)
            VALUES
            ('$this->session_id', ".$this->user_info['user_id'].", $this->current_time, '$this->user_location', '$this->user_ip')";
    $site_db->query($sql);
    }
   
    /** Session Update Fix **/

Way 2

Search for

Code: [Select]

  function update_session() {
    global $site_db;

    $sql = "UPDATE ".SESSIONS_TABLE."
            SET session_lastaction = $this->current_time, session_location = '$this->user_location'
            WHERE session_id = '$this->session_id'";
    $site_db->query($sql);

and replace it with

Code: [Select]

  function update_session() {
    global $site_db;

      $sql = "REPLACE INTO ".SESSIONS_TABLE."
              (session_id, session_user_id, session_lastaction, session_location, session_ip)
              VALUES
              ('$this->session_id', ".$this->user_info['user_id'].", $this->current_time, '$this->user_location', '$this->user_ip')";
      $site_db->query($sql);


I think the first way would be a little bit faster,
cause the second way performs always 2 querys.

Hope that helps.

[TheOracle]

On either way, you haven't specified the filename in order to make these modifications.

[IcEcReaM]

hmmm, how could i forget the most important step... 

[TheOracle]

Thanks. I will notify my users of these discoveries. It might help them to resolve the issues they're actually encountering with 4images sessions.

Note: This, unfortunitely, disregards the sessions bugs there was in PHP v4.3.10, as I think it is also important to announce.

[trez]

Ife changed it, now i'am waiting 20 minutes, a very great FIX , thanks !

[TheOracle]

@icecream:

In the mean time, I have re-read your codings above and, I think, way 2 should be considered as the only way. Why ? Well, way 1 will simply use more server ressources since additional PHP codings and SQL statements has been added so that, way 2, you only expanded the current routine and added a replacement rather than updating (also some new things involved in the codes of course).

[V@no]

I really dont know the difference in performance, so I'd go with number 2 version...
Also, it could be done with this query:

Code: [Select]

    $sql = "INSERT INTO ".SESSIONS_TABLE."
            (session_id, session_user_id, session_lastaction, session_location, session_ip)
            VALUES
            ('$this->session_id', ".$this->user_info['user_id'].", $this->current_time, '$this->user_location', '$this->user_ip')
            ON DUPLICATE KEY UPDATE ".SESSIONS_TABLE."
            SET session_lastaction = $this->current_time, session_location = '$this->user_location'
            WHERE session_id = '$this->session_id'
            $ip_sql";The difference between this method and number 2, is that this will not remove the database entry if its present, but will update it instead.
Lets hear what Jan decide

[IcEcReaM]

i mean both codes are working,
and normally you don't even notice any performance differences,
only when u have really a lot of members which are active at the same time.

But this function is used every time,
it should be user the better performed way.
REPLACE seems much nicer coded,
but do always 2 queries: check if already an entry is there, and then an insert.

So cause i am not really an sql pro, i can't say which one is better for the performance.

Lets wait until Jan says something about this.

[trez]

Icecream, i use the first version of your MOD and it works just great ! I have just a little question. My users are not shown in whos_online, if they are inactive for more than 3 minutes - how do i fix that ? I want them appear about 10 minutes, even if theyre not active. Any idea?

[IcEcReaM]

This option you can set in the control panel under settings.

[trez]

if ypu mean "Session timeout in minutes" in the ACP, its not what i mean, thats for the session.  Unfortunatly, the session-lenght has nothing to do with the whos_online list. I put the session lenght on 20 minutes, but my users disappear after 3 minutes on inactivity (but the session is still active, and they are not logget out)

[IcEcReaM]

ah, ok,
i looked at the sessions.php code,
and you're right.
the user online feature doesn't handle the saved session timeout.
search in sessions.php for

Code: [Select]

$time_out = time() - 300;here you can set when users are inactive and doesn't counted anymore.
for example: 300 are 5 minutes.
the value is given in seconds.

[trez]

thanks very much

[TheOracle]

@icecream:

I thought about this line myself actually and, since you posted it, I think I'm considering to put these : "300" (default #) under the ACP's configuration page so that users wouldn't encounter these problems no more. There are several posts about this issue and I think it would be idea.

Yes, it is agreeable to say it would use a little bit more ressources "but" would also save webmasters from seeking this options under the sessions's core.

[trez]

thats a good idea Oracle !