130 Chapter 4 Web Application Concepts Details on session ID propagation in real life will follow a bit later. First, we d like to show you another way of session ID propagation, arguably the most geeky method. DNS Tricks The need to tag all links in an application with the session ID can be really annoying. PHP 4.0 has a way to do it automatically, but it may be a severe performance hit on larger sites, and it doesn t work with PHP 3.0. We may have a solution for you. Up front, the caveats:You need to be able to change the DNS record for your server, and the server you want to use for this kind of session ID propagation needs its own, static IP. Name-based virtual hosting won t work here. You meet these requirements? Great. If you re proficient with name servers, you may know that wildcard entries can be used in DNS configuration.These entries usually map any arbitrary hostname to a specific IP; for example, we ve got this entry to direct requests for everything below phpwebdev.com to the IP 194.242.199.228: *.phpwebdev.com IN A 194.242.199.228 A request for http://this.is.one.cool.domain.phpwebdev.com will be redirected to the specified IP.Since the hostname is arbitrary,Apache must be configured to handle the IP as opposed to name-based virtual hosting, where the hostname must be fixed and known. Our Apache configuration looks like this: ServerAdmin tobias@dev.phpwebdev.com DocumentRoot /home/www/htdocs ServerName phpwebdev.com Our trick will also work fine if Apache s main server is bound to this address. The scope of this is of course to encode the session ID in the hostname itself. On the first request to the application, the session ID is created, and the client is redirected to the new URL containing the tagged hostname, which will look like this: 355e1bce8828d4fb5c83c1e35ad02caa.phpwebdev.com The advantage is clear:As long as you use relative links in your application,it s no longer necessary to bother with any manual URL rewriting! We have modified the earlier session start function to extract the session ID from the hostname: function session_start_from_host($host) { global $HTTP_HOST, $PHP_SELF; ereg( ([0-9a-z]{32}). , $HTTP_HOST, $regs); $session_id = $regs[1];
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services
128 Chapter 4 Web Application Concepts Figure 4.1 Amazon.com hides the session ID in the URL. Dynamic Paths with mod_rewrite You can avoid at least the hassle of manually encoding the session ID with a clever trick.What if the URL looked like this? http://server.com//page.php3 The browser would automatically send the session ID on every request, treating it as part of the directory. Of course, if you try to use this format as is, you ll only get a File Not Found error,because there s no directory that looks like the session ID.We need a way to remove the session ID from the path before the Web server actually sees the URL. This is where mod_rewrite comes into play.This is an Apache module that applies complex regular-expression transformations to a URL before passing it to the Apache server. Using mod_rewrite, we can simply strip out the session ID from the URL; this is an internal change to the URL, and only Apache will see it the client won t. Apache will see a normal request without session ID, while it s still available in the usual variables for PHP. Getting mod_rewrite The mod_rewrite module is not compiled into Apache by default. Please see Apache s INSTALL file for instructions on how to compile Apache with this module.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services
126 Chapter 4 Web Application Concepts Anyone who tried to crack this would have to perform a brute force attack over all possible elements; the attacker would have to find a valid session ID from 340,282,366,920,938,463,463,374,607,431,768,211,456 possible values. Cryptoanalysts Van Oorschot and Wiener developed a theoretical search machine for MD5 and estimated in 1994 that such a machine (estimated cost: $10 million) would take 24 days on average to crack an MD5-encrypted message.2 If this worries you, you should consider disconnecting your server from the Internet. By the way, md5(uniqid()) the same construct from above without a rand() call would not be sufficiently random; because uniqid() is based on the system time, it can be guessed if the hacker learns the local system time of the server.The space to be searched is then considerably less than 2128. Session ID Propagation with Cookies Now the only remaining issue is making the session ID available to all pages of your application. One way to do it is by setting a cookie containing the ID. If you want to be able to identify a user over multiple visits, using cookies is the only possibility. Unfortunately, a percentage of your users may have turned off cookies in their browsers (some estimates show figures of up to 20%). Depending on your target audience, it may be acceptable to redirect these users to a help page explaining how to enable cookies. Passing the session ID with cookies is by far the easiest method for the developer. Except for setting the cookie, nothing needs to be done by your application. Manual URL Rewriting You can also use manual URL rewriting for session ID propagation.This means that you pass the session ID via GET/POST or you hide it in the URL.You need to alter all frame, form, and a HTML tags to include a reference to your ID: // A frame source definition printf( , $session_id); // A hidden form field printf( , $session_id); // A normal link printf( Link , $session_id); If you have image maps, inline frames, or JavaScript redirects in your application, you ll also need to alter those. URL rewriting has several drawbacks: n It introduces a considerable amount of additional work for you as developer.You have to manually add the session ID to all links. If you forget a single link, the user s session will be lost.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
HTTP and Sessions 127 n It reveals that your pages are generated dynamically, and some search engines will refuse to index the pages at all. Other search engines will cut everything after the question mark from the URL. n The session ID will be added to users bookmarks and printouts.We even know of articles in technical journals that have the session ID of a Web site included as part of a reference. From a usability point of view, it s harder for users to manually alter the URL to find specific resources on a site. n The session ID is logged in proxy servers and shows up in the HTTP_REFERER CGI environment variable for other sites. Dynamic Paths Let s see if we can avoid some drawbacks of URL rewriting. For a start, you can add the ID to your URL in the Amazon.com way (see Figure 4.1) to make it look like http://server.com/page.php3/.With this method, the session ID is part of the path to the script, and the URL looks like a static page to search engines and spiders.This works because the Web server knows that page.php3 is a script, and stops looking further in the URL for files. But this way the session ID is not automatically available in your PHP script.You need to parse the path yourself to get access to it: function session_start_from_path() { global $HTTP_HOST, $REQUEST_URI; ereg( /([0-9a-z]{32}) , $REQUEST_URI, $regs); $session_id = $regs[1]; if(!isset($session_id) || empty($session_id)) { srand((double)microtime()*1000000); $session_id = md5(uniqid(rand())); $destination = http://$HTTP_HOST$REQUEST_URI/$session_id ; header( Location: $destination ); } session_id($session_id); session_start(); } All other drawbacks of URL rewriting still apply to dynamic paths, though.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
HTTP and Sessions 125 Thus, the data needs to be stored on the server.Where exactly you store it isn t all that important; it can be in a relational database management system (RDBMS), plaintext file, dBASE file, etc. Because a Web application generally already uses a relational database such as MySQL, this should be the preferred storage medium. To associate the data with a user, you need a session identity number a key that ties the user to his data. But, as mentioned earlier, HTTP lacks a mechanism to identify users.What should you use,then,to brand the user? One idea that may come to mind immediately is to use the user s IP address.While this approach sounds logical at first glance, the associated problems disqualify it from being used: n Many ISPs force dial-up users to use proxy servers; of course, $REMOTE_ADDR will show the IP of the proxy. If two AOL users try to use your Web application at the same time, things would get messed up. n Some ISPs (for example, cable access providers) change their users IP addresses once in a while to prevent them from running Web servers. n Last but not least, the user could decide to close his Internet connection, go for coffee, and return 15 minutes later to your online shop (with a different IP, of course). After you accept the fact that there s no generic way to identify the user with some predefined magic number, the only solution left is to create a session ID of your own and pass it from page to page. ( How? you ask. Read on, we provide details a bit later.) This ID must be very random, or your users will try to predict it and take over other sessions. If the ID is linear, for example a normal number (page.php3?ID=5), you can bet that one user will try to open page.php3?ID=6. It may only be embarrassing if normal users can see each other s shopping carts, but it becomes a very dangerous security threat when hackers take over other sessions to steal credit card numbers or produce fraudulent orders. PHP has a built-in uniqid() function, but because it s based on the system time, it s not secure enough to be used for a session ID. However, you can combine it with a hash function and rand() to construct a truly random string with 2128 possible elements: srand((double)microtime()*1000000); // Seed the random number generator $session_id = md5(uniqid(rand())); // Construct the session ID Accessing the User s IP Address You can access the user s IP address from the environment variable $REMOTE_ADDR. Use phpinfo() to get a list of all available environment variables.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
II Web Applications 4 Web Application Concepts 5 Basic Web Application Strategies 6 Database Access with PHP 7 Cutting-Edge Applications 8 Case Studies
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
118 Chapter 3 Application Design: A Real-Life Example However,this method can be used to emulate user bans.The common bans for IRC, namely K-lines and G-lines (local and global bans of users), cannot be used with a Web-based chat system,as all connections originate from the Web server.The only ban-able address would be the address of the Web server, which would completely ban the whole interface from the network.To still be able to filter out special users, connections should be evaluated at the PHP level. Database Level The database level is a totally different approach. Clients are allowed to log in and chat, but their messages and session information are filtered in the database. Either an external tool or the chat code itself would check for the user to be allowed to say or do something and, based on this info, allow his/her messages to be inserted into the database or not. But this strategy requires a very tight integration into the main chat code, is not very flexible (and kind of clumsy), and is inelegant to implement. IRC Level IRC provides native administration features built into the server code and network protocol (we hope you read the RFC and are familiar with these possibilities). Administration can even be done by regular users.Three levels are available: n Channel operators. These operators have administrative control over channels. They can kick users, mute them,ban them,make other users into operators, and such (this level is available to all users). n IRC operators. These operators have administrative control over the network (but not channels).They can kill users from the net,ban them,establish network links, and so on (this level is only available to special users). n Services. Services have administrative control over channels but no control over the network,and are not able to perform like regular users.They also require a special login procedure (this level is only available to special users and is meant for automated clients). As you can see, administration at IRC level can be done using a client running separately from the main chat system.A separate client with IRC operator and channel operator status would give the ideal combination of features that we need an administration system to have. Basically, only IRC operator status is needed initially, since as soon as the administration client has gained IRC operator status, it can gain channel operator status everywhere by killing all users from a channel.This is not a very nice method, but more effective and versatile than patching the IRC server code to give IRC operators equal rights to channel operators.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
116 Chapter 3 Application Design: A Real-Life Example Listing 3.4 Continued } ////////////////////////////////////////////////////////////////////////////// // // myplugin_deinit() - deinitializes this plug-in // ////////////////////////////////////////////////////////////////////////////// // // All deinitialization code should go here. This function is called before // the bot goes down; thus, all network connections are still active. // // Although the return value is currently not used, 0 should indicate // deinitialization failure and 1 deinitialization success. This might be // used later on to force delayed shutdowns. // ////////////////////////////////////////////////////////////////////////////// function myplugin_deinit() { // remove callbacks here chat_remove_callback(CHATCB_IDLE, myplugin_idle_callback ); return(1); } ////////////////////////////////////////////////////////////////////////////// // // NOTE: DO NOT CHANGE ANYTHING BELOW THIS POINT! // ////////////////////////////////////////////////////////////////////////////// // installer code starts here // register initialization function chat_register_plugin_init($plugin_init_function); // register deinitialization function chat_register_plugin_deinit($plugin_deinit_function); // installer code done ////////////////////////////////////////////////////////////////////////////// ?>
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
Interfacing the Network 113 To be useful in the application, phpChat offers a set of events to which each plug- in can attach itself. During plug-in initialization, each plug-in tells phpChat to send a set of desired events. Events might include the chat being idle, the user submitting a new message, the user clicking on a nickname in the nick list, an incoming message from the network, and so on. At runtime,the plug-ins can intercept these events and perform certain tasks.The clock plug-in, for example, registers itself to the idle event and checks the current system time frequently.After a predefined number of minutes,it announces the time to the user. For most events, phpChat also sends parameters (such as the message texts for incoming messages), which the plug-ins are allowed to change. For example, the list of plug-ins in Listing 3.3 includes plug-ins named htmlspecialchars and link_transform.These plug-ins change the output of messages; htmlspecialchars applies a call to htmlspecialchars() to all printed text (for security reasons, so that no one can insert malicious HTML code into the chat), and the link transformer detects all URLs and email addresses and prefixes them with or mailto:, respectively, so that users can click links right in the chat window (see Figure 3.10). Figure 3.10 The plug-ins at work.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
114 Chapter 3 Application Design: A Real-Life Example As you can see, plug-ins offer an extremely powerful way of extending a complex system. Consequently, phpChat has abstracted most of its own internals into plug-ins as well.The complete command interpreter has been moved into a plug-in,as well as the complete set of text formatting/printing procedures.This means that there is only a solid kernel that doesn t have to be changed because there s simply nothing in there that would require changing the rest can be freely modified, extended, even removed, without any impact on system performance or operability. Have you ever seen an application that doesn t complain about someone deleting its files? Using this technique, an application won t complain and will even dynamically adapt to it. Plug-ins can be used in many ways, not just for chat programs. For example, you could also build a portal site consisting of the traditional news page, an email interface, etc. Using plug-ins, you can design a site kernel that handles all basic issues such as providing page layout, database back end, sessioning, and so on. Based on the site kernel, you can then create plug-ins for displaying news, sending and receiving email, even for providing different methods of logging in. Even if it s quite an effort, we encourage you to create a plug-inbased application as an exercise. It will be worth the work. Listing 3.4 shows a plug-in template implementing a dummy plug-in as code base for new plug-ins. Listing 3.4 A plug-in template.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services