Maintaining a session in a session-less environment

Confused?  I know I was at first, but let me explain.  First, why would there be a session-less environment?  I thought this was a HUGE plus to server-side development languages over basic HTML that is session-less?  Well, you would be right in that sense; however, as I mentioned in a recent blog that I’ve switched careers and I am currently doing server-side game development for large Facebook Virtual Worlds.  The client/server relationship in these games are completely session-less.  Each time the client performs an action, the server doesn’t “know” who they are because it’s not a consistent relationship like a browser and a web server.

Don’t worry, there is a simple solution to this problem, let’s explore it now.

The only thing we need to make this work is a unique identifier sent to us on each server call from the client.  Something that is not obvious and cannot easily be guessed; since there is no true security in this process.  The easiest thing to use is the session id that is created by the server on the first visit.  No matter the server-side language, if it supports session it will provide you with a unique session id.  Below is some example PHP code to get our session id:

[code]<?php

$sessionId = session_id();

?>[/code]

We will want to retrieve this id on the first page load (usually when we load the Flash application).  The process would be something like this:

[code]<?php

// start our session (assuming auto start is not turned on)

session_start();

// Check if the sessionId was passed in through the URL

if (array_key_exists(‘sessionId’, $_REQUEST)) {

$sessionId = $_REQUEST[‘sessionId’];

// update our session id to the one passed in

session_id($sessionId);

} else {

// we don’t have a session, so store the session id

$sessionId = session_id();

}

?>[/code]

On each page request this will look for the session id in the URL or it will generate a new one.  After this process we would pass the $sessionId to Flash so they can send it back each time allowing us to maitain our session in a session-less environment.

You may have noticed that this is an incomplete example because we haven’t stored anything in our session to maintain.  To make this example complete, we will want to retrieve the “current user” from our database.  In the else statement above, we would need to perform a query to retrieve the user.  Once retrieved, we can store the user in the session and use it on each subsequent call when our session is already set.

Have I confused you even more?  Below is a stripped down example of doing this with an iframed Facebook application:

[code]<?php

// start our session (assuming auto start is not turned on)

session_start();

// Check if the sessionId was passed in through the URL

if (array_key_exists(‘sessionId’, $_REQUEST)) {

$sessionId = $_REQUEST[‘sessionId’];

// update our session id to the one passed in

session_id($sessionId);

// get the user from the session

if (array_key_exists(‘user’, $_SESSION)) {

$user = $_SESSION[‘user’];

} else {

// something went wrong and we don’t have a session, so send them back to the main canvas page to re-intialize everything…

echo ‘<script>window.top.location=”http://apps.facebook.com/<myapphere>”;</script>’;

exit;

}

} else {

// we don’t have a session, so store the session id

$sessionId = session_id();

// validate Facebook request variables

$userId = validateFacebook();

// query database for user

$user = fakeFunctionToGetOurUser($userId);

// store this in the session

$_SESSION[‘user’] = $user;

}

function validateFacebook() {

// perform $_REQUEST check

if (array_key_exists(‘fb_sig’, $_REQUEST)) {

// TODO: place code that validates the $_REQUEST params

return $_REQUEST[‘fb_sig_user’];

} else {

// something went wrong and we don’t have a session and don’t have our Facebook

// request variables, so send them back to the main canvas page to re-intialize everything…

echo ‘<script>window.top.location=”http://apps.facebook.com/<myapphere>”;</script>’;

exit;

}

}[/code]

I hope that helps clear things up.  For those of you out there who are looking for a more completed Facebook iframed example, I hope to have that soon.  Enjoy!