Enumerating a variable from each session

[JoshT]

Suppose I store a "mysiteguid_username" variable in a session for each successfully logged on user. Is there a way of enumerating thru all the active sessions to create a "who's online" list of usernames? Or do I have to roll my own session system to get this functionality?

[techgnome]

Have you tried looking at http://www.php.net ???

[The Hobo]

Originally posted by JoshT
Suppose I store a "mysiteguid_username" variable in a session for each successfully logged on user. Is there a way of enumerating thru all the active sessions to create a "who's online" list of usernames? Or do I have to roll my own session system to get this functionality?

There isn't a way, I don't think.

The best way to do it would be to store each user in a database each time a page is loaded, and also delete entries older than a certain amount of time.

I posted a good example on how to do this a few months back here. Scroll down a little more than halfway.

[phpman]

yes what Hobo said. each session is unique to each users browser so there is no way to scroll through them.

the best way is to add them to a DB.

[JoshT]

Well, I figure PHP is keeping a database of all active sessions and session variables somewhere, but there appears no means to access it directly thru PHP.

[phpman]

no it doesn't, it is keeped on the server in a folder (well you could call it a DB) but they are just files. and for security you can't access someones session ID from another browser, hence you can't look at all the sessions that are logged in to your site wihtout keeping a record in you DB or flat file

[JoshT]

Originally posted by phpman
no it doesn't, it is keeped on the server in a folder (well you could call it a DB) but they are just files. and for security you can't access someones session ID from another browser, hence you can't look at all the sessions that are logged in to your site wihtout keeping a record in you DB or flat file

Why not? PHP's guts can do it. I'm not accessing someone's session from a browser, I'm accessing it from server side. I see no reason why I cannot do this except that the fact that this functionality is not built into PHP.

If fact, I can directly read the PHP session files (php.ini points them into /tmp):

PHP Code:

$dirname = '/tmp/';
if ($dir = @opendir($dirname)) {
  while (($file = readdir($dir)) !== false) {
    if (preg_match("/sess_/", $file)) {
        print "<h3>$file</h3>";
        print '<pre>';
    readfile($dirname . $file);
    print '</pre>';    
    }
  }  
  closedir($dir);
} 


[phpman]

and you can see the tmp directory? usually this is tucked up above where a user can't see it, it shouldn't be in the web directory, in fact on my PC it is under php directory adn nothing to do with the server. even if you could that it doesn't mean anything. some of them are there but not connected to anything, that is why apache a a cleanup program to go through and delete ones that aren't updating in the allotated time.

so your count will not be accurate.

if it was possible don't you think this forum would do it?

[JoshT]

Originally posted by phpman
and you can see the tmp directory? usually this is tucked up above where a user can't see it, it shouldn't be in the web directory, in fact on my PC it is under php directory adn nothing to do with the server. even if you could that it doesn't mean anything. some of them are there but not connected to anything, that is why apache a a cleanup program to go through and delete ones that aren't updating in the allotated time.

so your count will not be accurate.

if it was possible don't you think this forum would do it?

Of course you can see the /tmp directory. Note that the / specifies the root of the filesystem, nothing to do with any web directories. PHP has access to whatver in the local filesystem the account it is running under has access to ('nobody'), and it needs access to the directory where it keeps the sessions. Of course, I can't telnet in and access these files with my own user account, but the nobody account can while PHP is running as it.

In fact, the following works beautifully:

PHP Code:

function enum_users() {
    $dirname = '/tmp/';
    $users = array();
    
    if ($dir = @opendir($dirname)) {
      while (($file = readdir($dir)) !== false) {
        if (preg_match("/sess_/", $file)) {
            $fd = fopen($dirname . $file, "r");
            $string = fread($fd, filesize($dirname . $file));
            fclose($fd);
        if ( preg_match("/sulinda_username\|.*?\"(.*?)\";/", $string, $match) ) {
            array_push($users, $match[1]);    
        }
        }
      }  
      closedir($dir);
    }
    
    return $users;
} 


And for what it's worth, any session that is still there (hasn't been deleted) might as well be considered a logged on user.

[phpman]

ahh I see the difference. on my machine it is one folder as I don't run a virtual host. so each virtual host has it's own /tmp/ directory? that makes since then the sessions will only pertain to that domain. that is cool but could also be deadly as you can read everyones session variables with one little script.

if the /tmp/ folder is not specific to a website then you would be getting all the sites that are registered on the server. then you would be getting sessions that have nothing to do with your site.

[The Hobo]

I'd rather do the database method, still. It seems like I'd have more control over when a record is deleted and how long the user stays active.

[JoshT]

Originally posted by phpman
if the /tmp/ folder is not specific to a website then you would be getting all the sites that are registered on the server. then you would be getting sessions that have nothing to do with your site.

Yes, I get all Sessions from all sites. That's why I preface my session variables with my site name so I can parse them out. There is also an issue with PHP taking time before it deletes these files - they seem to stay for weeks - luckily I should be able to check the last modified date or whatever

[JoshT]

Originally posted by The Hobo
I'd rather do the database method, still. It seems like I'd have more control over when a record is deleted and how long the user stays active.

Yeah, but I just needed something quick and dirty for a graduate-level web design course I'm taking.