2

Because of european privacy law being harsly applied in the Netherlands and to keep my company's site user friendly without nagging the users with questions if it's okay to store a cookie on their computer that allows me to access their client data.

What I need is a way to "overwrite" the native php sessions class so that at the point where the native class requests the cookie that stores the phpsessid, that I can place my own code there that checks the browsers fingerprint and matches that to a session id which I can use to return the normal working of the native class.

My idea is:

table sess_fingerprints Fields: fingerprint - phpsessid

function getsessionid()
    {
    $result = $this->db->query("SELECT phpsessid 
                    FROM `sessiondatabase`.`sess_fingerprints` 
                    WHERE `sess_fingerprints`.`fingerprint` = '$userfingerprint'");
    if($result->num_rows() != 0)
        {
        return $result->row->phpsessid;
        }
    }

and at that point the native php session code just works as it would normally do.

So, my question is: is it possible to overwrite only the "cookie" part of the phpsession class? if so, how? because I haven't found that yet.

I'm aware of being able to pass along the session variable via urls etc, but that's not secure enough for my web applications.

Tschallacka
  • 27,901
  • 14
  • 88
  • 133
  • this maybe of some help - https://github.com/EllisLab/CodeIgniter/issues/1375 – TigerTiger May 24 '12 at 11:06
  • I've joined that discussion. Thank you for that link, but I also need this for orther sites that don't use code igniter. What I need is just a way to kill the cookie part of the native session class and replace it with my own. That way It doens't matter if I have codeigniter, joomla, concrete or some other obscure software package. Then I only need to add my own line's at the beginning and that way I can ensure it working compliant with the law. My fingerprinting software works as espected. Now to replace the session cookie setting functions. – Tschallacka May 25 '12 at 08:54

2 Answers2

0

PHP provides support for custom session handlers:

http://php.net/manual/en/session.customhandler.php

Eva
  • 4,859
  • 3
  • 20
  • 26
  • I've read through it that manual, but what I want is to replace only the cookie retrieving part. Not all the other code. Is there a way to replace only one specific part? I'm using php 5.3, so I can't use a parent::do your thing construction to have the original code do it's thing. – Tschallacka May 23 '12 at 14:49
  • The example here [link](http://www.php.net/manual/en/function.session-set-save-handler.php) provides a session handler similar to the PHP one, I'd consider just using that. – Eva May 23 '12 at 14:58
  • I have read through it, but this all does not handle the cookie part. I want to use my own fingerprinting software to give the native class the session id. I do not need to rewrite the enitire session read/write mechanism. I only need to intercept the code where the cookie is written/sessionid is appended to the URL. That part of the code I wish to replace, and that part does not get replaced by the session handler code examples you posted. – Tschallacka May 24 '12 at 15:01
0

I think I have found the solution to my problem. I'm going to override the functions related to cookies by using http://php.net/manual/en/function.override-function.php

Thank you all for thinking along.

Tschallacka
  • 27,901
  • 14
  • 88
  • 133