Search code examples
phpzend-frameworkzend-session

Zend Session and Namespace Expiries


I have 2 areas that need session management, with 2 different expirations:

  • Administrative Area - 20 minutes
  • Reservation Area - 3 minutes

Using Zend_Session, how can I manage both for the same user?

It is important to note that the Reservation Area behaves much like Ticketmaster, where maintaining reservation accuracy down to the second is crucial.

My current implementation utilizes the Zend_Session_SaveHandler_DbTable and I would like to stick with that, if possible.

I am storing the Session_ID from the main Session table on the Reservation table to indicate reservations. This works out well, because it allows me to use garbage collection to clean up abandoned sessions (I have a cron triggering garbage collection every minute).

My problem with this implementation is that I don't know how to manage the Administrative Area's session, given the time difference.


Solution

  • I think you need an application-level thing to manage these reservations, rather than relying on the session itself. It's hard to 'do things' when sessions expire, and I'd argue sessions are not really designed to be depended on for this sort of functionality.

    I suggest you create a separate table that holds reservation tokens. These would have an unique 'token' hash as the primary key, an 'expires' date, and possibly a optional user ID. Instead of storing Session_ID on the reservation table, you store the token instead, with the same constraint in place (so deleting the token frees up the reservation). You add an additional cron job that expires tokens - this could be as simple as executing a DELETE FROM reservation_tokens WHERE expires < NOW() query. In the session you store the token, and checking the expire time on the token will tell you whether the reservation is still valid or not.

    This way your reservation expiry is no longer dependent on the session expiring. It also would allow for things like a logged in user still having the same reservation if they were to login again (before the reservation expired).

    As for the administrative login, an approach I've taken in the past is to simply extend the session expiry when a user authenticates. This is pretty easy to do, just after a valid login:

    // assuming $result is a Zend_Auth_Result
    if ($result->isValid()) {
        // extend the user's session
        $lifetime = 1200;
        ini_set('session.cookie_lifetime', $lifetime);
        Zend_Session::rememberMe($lifetime);
    }
    

    and if you've implemented the reservation token solution, having a longer session no longer causes problems with your reservations.