难道使用$ _SESSION超全局来获取当前的在线用户，并在以后将其重新设置为当前的会话数据吗？

Question

I am using a database to store my session data. I've created some functions to query through the current active sessions and return some values to be used on the current page. Getting the number of open sessions seems easy enough with a single query like "SELECT SessionData FROM UserSessions" and return the number of rows returned by the query.

I then wanted to determine which site users are currently "online". The session stores the UserID of the user who is viewing the website. I searched and searched and seemed to only find the session_decode function for decoding what seems to be serialized data (but unserialize doesn't work). The only problem here is, session_decode automatically populates the $_SESSION superglobal. So my question is, is it "BAD" to temporarily store the $_SESSION data, use session_decode on each user that is currently online, then reset the $_SESSION variable to the temporarily stored data?

function getLoggedInUsers() {
            //NEED SOME ERROR HANDLING AROUND DB STUFF
    $oConn = DB::connect(RF_DSN);

    $oPrep = $oConn->prepare("SELECT SessionData FROM UserSessions WHERE SessionData LIKE ?");

    $oRes = $oConn->execute($oPrep, array("%UserID%"));

    $aCurSession = $_SESSION; //STORE SESSION DATA TO RESET LATER

    $aLoggedInUsers = array();
    while ($oRow = $oRes->fetchRow(DB_FETCHMODE_ASSOC)) {
        if ($oRow == NULL) {
            break;
        }

        $_SESSION = array();

        session_decode($oRow["SessionData"]);

        $aLoggedInUsers[] = new User($_SESSION["UserID"]);

        $_SESSION = array();
    }

    $_SESSION = $aCurSession; //RESET SESSION DATA TO CURRENT ONLINE USER

    return $aLoggedInUsers;
}

It seems to me that this would work, but are there any known cases where this could fail and then the current user would end up with some other user's session data, effectively being signed in as a possible admin or something? Would it be better to store another field in my UserSessions database that would house the UserID or something like that?

**EDIT*** I am trying to display the usernames of all the current logged in users (whom have registered on the site, and logged in).

Answer 1

What I would recommend is that you add a column to your session table which stores the user id separately outside of the session data. That way you can use SQL to get the names like this. (Using a hypothetical user table)

SELECT UserTable.userName FROM SessionData
INNER JOIN UserTable
ON SessionData.userId = UserTable.id

Assuming you're using another query to clean out old sessions after a pre-determined period of time this query will return both the the current session data for each logged in user as well as the user's row from the user table containing their username.

The $_SESSION array should only be used for storing information relevant to the user's current session, not other sessions around the site.

Answer 2

I won't go into value judgments of good and bad but there's definitely going to be simpler ways to do it. The simplest would be to just have a DB table that you upsert on every page access with a user ID and a timestamp and do a COUNT(*) against the last 15 minutes or so. With proper indexing, the performance impact would be negligible

Reading some of the comments you posted clarifying what you're doing, you could just as easily do this against your session table. Since "users online" is not really critical, the possibility of a user being logged in twice and having multiple sessions isn't really all that important.