search

stefangabos / Zebra_Session

A drop-in replacement for PHP's default session handler which stores session data in a MySQL database, providing better performance, better security and protection against session fixation and session hijacking
https://stefangabos.github.io/Zebra_Session/Zebra_Session/Zebra_Session.html
Other
172 stars 85 forks source link

zebra_session could be use in AWS ALB? #43

Closed testkimid closed 3 months ago

testkimid commented 2 years ago

Hi, zebra_session could be use in AWS ALB and AWS WEB Searver Auto Scaling ? AWS ALB will be not operate in stikey session mode.

stefangabos commented 2 years ago

i'm sorry, i have no experience with any of those

awjudd commented 1 year ago

I believe that it should be able to be used in conjunction with the ALB. If you set a sticky session on your ALB, then it will automatically create a cookie with the specific server you were connecting to, therefore making it so you always return to that server (when the load balancer sees it). This package will write a session that is stored in the database instead of local file system making it so that even without persistent/sticky session it's available to any servers that reference it.

dvelopin commented 3 months ago

I realize this is old, but I use this class with several AWS Elastic Beanstalk applications which use the AWS Application Load Balancer. To accomplish locking to IP in this environment, a couple changes need to be made to the class.

First add a new private function for getting the end user's ip address:

private function getIPAddress() { $ipaddress = ''; if (getenv('HTTP_CLIENT_IP')) { $ipaddress = getenv('HTTP_CLIENT_IP'); } else if (getenv('HTTP_X_FORWARDED_FOR')) { $ipaddress = getenv('HTTP_X_FORWARDED_FOR'); } else if (getenv('HTTP_X_FORWARDED')) { $ipaddress = getenv('HTTP_X_FORWARDED'); } else if (getenv('HTTP_FORWARDED_FOR')) { $ipaddress = getenv('HTTP_FORWARDED_FOR'); } else if (getenv('HTTP_FORWARDED')) { $ipaddress = getenv('HTTP_FORWARDED'); } else if (getenv('REMOTE_ADDR')) { $ipaddress = getenv('REMOTE_ADDR'); } return $ipaddress; }

Then update the places where $_SERVER['REMOTE_ADDR'] is used.

Change this:

if ($this->lock_to_ip && isset($_SERVER['REMOTE_ADDR'])) { $hash .= $_SERVER['REMOTE_ADDR']; }

To this:

if ($this->lock_to_ip && $this->getIPAddress() != '') { $hash .= $this->getIPAddress(); }

And change this:

md5( ($this->lock_to_user_agent && isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '') . ($this->lock_to_ip && isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '') . $this->security_code ),

To this:

md5( ($this->lock_to_user_agent && isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '') . ($this->lock_to_ip && $this->getIPAddress() != '' ? $this->getIPAddress() : '') . $this->security_code ),

This will now use the correct remote IP and lock_to_ip will work properly.

stefangabos commented 3 months ago

this looks nice and I see no problem in adding this to the code as i don't think this should affect general usage of the library

stefangabos commented 3 months ago

see #54

stefangabos commented 1 month ago

There's a new way of doing this, the previous solution (#54) was removed. Use instead a callable for the lock_to_ip argument in the constructor. See the docs