Thursday, January 21, 2010

Inspecting PHP sessions from Python

For one of our PHP projects we wanted to be able to inspect the PHP sessions from outside PHP. For example we want to know the users privileges at certain moment, i.e. if the user is logged in or not.

Why would you need that you may ask?

Well, let's say that our symfony application stores the result of a cached action in Memcache, having two versions of the result HTML, one for logged in users and one for logged out ones. In that case we want to avoid loading symfony at all and returning directly the HTML from Nginx. One of our devs wrote a Nginx module that does just that, it gets from the Memcache certain value, if it's found, then it returns the HTML immediately, else it calls symfony to handle the request. The problem with this approach is that the Nginx doesn't know if the user is authenticated or not, so it can't handle the case where we have two different versions of HTML output for one action. Well, until now...

Please welcome InspectorD a Python daemon that can inspect PHP sessions.

InspectorD is tcp server that understands a very simple text protocol: you ask it if certain session_id is authenticated and it replies 1 if it does, or 0 if it doesn't.

Here's an sample session:

telnet localhost 3002
isauth oglnp9phvn8ac04obdqjk6dko3
isauth bj6sc485t9s46o57qpngod5lm7
isauth bj6sc485t9s46o57qpngod5lm7 oglnp9phvn8ac04obdqjk6dko3 n63o4uk297c49131dcdg0h7g72

The server is based on the Twisted framework and the PHPUnserialize module by Scott Hurring. From the later I fixed the session_decode method since it wasn't working for me.

For installation instructions and usage see the github project page.

Any comments and bugs reports are welcomed.


Flukey said...

Very nice implementation. However, whats the performance like? Have you done any benchmarking of how quick the module returns whether a session is active or inactive? I would be very interested to know

Alvaro said...

If everything goes as planned we plan to deploy this in prod. One of my fellow devs is polishing his nginx module to access this python one. When that is ready we want to put this in prod. What I can tell you right now is that a very similar python module based on twisted that we run in prod handles 8000+ reuquests a minute, in a 4 years old linux server.

Flukey said...

Excellent. Pretty impressive!

Once he's polished his nginx module, will he open source what he's done?

You have some very interesting posts btw.

Alvaro said...

Well, thanks :D

Regarding the nginx module, he has several modules published, and I guess this will be published too. I think his draft is already on the nginx mailing list

replay said...

i sent the module to the nginx mailinglist including an example configuration. its available on the archives:

Alvaro said...

@replay cool :)