HyperAdmin Session

A session is when a particular user is connected to HyperAdmin using a particular browser on a particular computer.

A session also helps keep track of immediate user preferences, e.g. searching only certain item types or topics.

There is more discussion of Sessions in the context of a shopping cart system (for which HyperAdmin was, in part, designed) in vbzwiki:VbzCart.

Rules

Sessions depend on the following parameters, in order of increasing trust:

Phase I: look at input, compare with database, and decide what to do
1. If input has session cookie:
  - If session cookie matches one in database
    - Set $session_found ID to the one found
    - Set $session_cookie_found to TRUE
    - If input has verified username:
      - Expire all *other* sessions with same username
  - ...Else (cookie not found in db)
    - Log HACK_WARNING (may just be a long-delayed return, but shouldn't happen too often)
    - Set $session_invalid flag
2. ...Else (no session cookie):
  - If input has verified username:
    - Expire all sessions with same username
    - Set $new_session flag
  - ...Else (no verified username):
    - Search [sessions] table for IP/browswer match
    - If IP/browser match found:
      - Set $session_found ID to the one found
    - ...Else (no IP/browser match):
      - Set $new_session flag
Phase II: take action
1. if $session_found:
  - if NOT $session_cookie_found:
    - set session cookie
2. ...Else (NOT $session_found):
  - if $session_invalid:
    - set $new_session flag
  - if $new_session flag:
    - Create new session
    - Set session cookie
  - ...else NOT $new_session flag:
    - Log INTERNAL_ERROR: no valid session but we're not creating a new one --??

Variables:

$session_found -- ID of existing session found which matches input parameters (cookie or browser)
$session_cookie_found -- session cookie is already set
$session_invalid -- session specified in input parameters is not valid
$new_session -- if TRUE, need to create a new session record