Looping Through All a Server's Sessions in PHP

Question 1

Is there a way in PHP to get a list of all sessions (and the variables within each) on the server?

Basically, we have a maintenance function which needs to know which users are currently logged into the site. We already store data for each user in a session variable, but I am hoping that I can loop through each of these sessions and pluck out the data I need.

MY PHP is very limited (I am a .Net developer ussually) but if anyone knows if this is even possible (and how to do it) I'd be very grateful. I googled this, and the results I found tended to inidcate that it WASN'T possible, but I find this very hard to accept.

Still, If you can't you can't but I thought my buddies on StackOverflow could give me a definitive answer!

Question 2

PHP stores session data for each user in a temporary folder on the server. This folder is defined in the php.ini configuration file under the variable session.save_path. Locate this value from within your php.ini file, or alternatively, create a php file with:

<?php echo "Session Save Path: " . ini_get( 'session.save_path');?>

as it's contents, and open the file in your browser.

Once you find the save path for the session data, open up that folder and you'll notice a fairly simple structure. All sessions are stored in the format: sess_$SESSIONID .

Session data is serialized before being stored on disk. As such, objects stored in the session file would have to be deserialized before being usable. However, if you're using plain text, which is stored as-is, to store your session data (ex. $_SESSION['userid'] = 1234) to store information about your users, it should be easy enough to parse out the data you're looking for from within the files.

One more thing ... I haven't looked into it, but it appears as though the session ID that appears in the filename corresponds directly to, for instance, the name of the PHPSESSID cookie stored on the user's computer. So, with this in mind, it may be possible to loop through the files within the temporary session directory, acquire all the $SESSIONID values, set the current session ID using session_id($SESSIONID), start a session with session_start() and access the data you need through PHP without having to parse the contents files themselves. Can anyone confirm whether or not this would be possible?

Edit: Adjusted post to match Itay's comment.

Question 3

If this is just for debugging output, you can use the following to see all the types and values as well.

var_dump($obj);

If you want more control over the output you can use this:

foreach ($obj as $key => $value) {
    echo "$key => $valuen";
}

Question 4

You can modify another users session (see below), although personally, I would recommend against it. As I imagine it can open up a whole world of session hijacking and other vulnerabilities.

With your example use case

A common user is logged, while in the same time an administrator uses the Admin functions and change some value for this user. If the value is not something obtained from the database every time, the session variable for that current logged in user need to have its value changed.

You would be better of updating the value in the database and then just checking to see if it's changed before you process the next page. If you don't want to be checking multiple user fields before each page load then when you update the user in the admin panel, you can build a hash of the values and add it to a new column called session_hash. Then just compare this field on page load

But if you still want to modify another user's session, you can set your current session_id to the targets.

// End my current session and save its id
session_start();
$my_session_id = session_id();
session_write_close();

// Modify our target session 
session_id($target_id);
session_start();
$_SESSION['is_logged_in'] = false;
session_write_close();

// Start our old session again
session_id($my_session_id);
session_start();

EDIT

Example: https://www.samdjames.uk/session_example/index.php

Example Src: https://gist.github.com/SamJUK/c220e3742487567c6262238edf85695e

Question 5

Instead of setting the time in ini to a fixed length, remind that session timeout is reset on reload. So create some ajax code that does a request every 5 minutes or so to a file (image or smth). This way the timer is reset every 5 minutes and users can spend a day filling out your forms.

Question 6

In modern browsers Object.getOwnPropertyNames() and Object.getPrototypeOf() will help you get all properties of all objects in the prototype chain.

http://jsfiddle.net/FtVXN/

var obj = window;

do Object.getOwnPropertyNames(obj).forEach(function(name) {
       console.log(name);
   });
while(obj = Object.getPrototypeOf(obj));

If you want to see the separation of the prototype objects, then add a line that provides a divider.

http://jsfiddle.net/FtVXN/1/

var obj = window;

do {
    Object.getOwnPropertyNames(obj).forEach(function(name) {
        console.log(name);
    });
    console.log("=============================");
} while(obj = Object.getPrototypeOf(obj));

I do think I recall that in Firefox, some globals don't appear until you access them. You may need to do a little experimenting if you find that to be the case.

Looping Through All a Server's Sessions in PHP

Answers

php,session