VbzCart/tables/user session

About
This table was originally an inextricable part of VbzCart, but it is now mostly handled through the standalone user-session library. Only ID_Cart and ID_Order have been added for VbzCart.


 * Rules: A new session should be created whenever the "same" client doesn't remember the session cookie (could be a different computer on the same IP address), or if the session has timed out.
 * Relations:
 * Each has one or more s
 * Each has one or more s
 * A single session may discard one cart and start a new one.
 * Sessions only use carts they create, never reusing one created by another session.
 * Each session knows only the cart it is currently using.
 * Usage:
 * For now, we will be treating each as having its own session which never expires. Having a separate class for the session, though, lets us decouple these things later on if we want to.
 * There should eventually be an "empty cart" button; if the user has not logged in, then that button should start a new session rather than clearing the cart for the current session.
 * Fields:
 * WhenClosed: if not NULL, then this session should not be reused (might be a different user returning to their cart, or might be the same user -- if no login, we have no way of telling, so take safest choice). If this session is accessed after the time of WhenExpires, code should manually set WhenClosed to NOW.

Security
I briefly toyed with the idea of only allowing the session to be set via http query within the secure area once and thereafter requiring it to come from a cookie, but anyone familiar with wget could spoof a cookie pretty easily, so this didn't seem worth the effort.

The real security comes from requiring that client's fingerprint (browser + IP address) "match" those in the session record for the session token (which the client must also give) before authorizing renewal of a session for that client. The session token is essentially a "shared secret" generated by the server.

History

 * 2009-06-18 design started - first draft, not sure concept is right
 * 2009-07-10 each session ties to a cart, not vice-versa; Token is now a random string
 * 2011-02-07 fixing bug where user gets the same cart again after placing an order:
 * ID_Cart is now cleared when cart is converted to an order, so that same cart won't get reloaded
 * ID_Order field so we can still pull up the order when ID_Cart is cleared
 * Remember, this is the active cart. After cart is converted to an order, it is no longer active.
 * 2011-03-27 decided that clearing ID_Cart is a bad idea, because:
 * user can't reload the receipt page
 * we can't detect if the user has already sent in an order, so we can't ask if they want to add to it or modify it
 * 2013-09-26 added ID_User -- this is how we know if the user is logged in.
 * 2013-11-09
 * renamed from shop_session to user_session
 * moved ID_User above ID_Cart, since that and ID_Order are now "additions" to the base class as defined in user-session.php

SQL
DROP TABLE IF EXISTS `user_session`; CREATE TABLE `shop_session` ( `ID`          INT     NOT NULL AUTO_INCREMENT,  `ID_Client`   INT     NOT NULL COMMENT "user_client.ID",  `ID_User`     INT DEFAULT NULL COMMENT "ID of logged-in user, if any",  `ID_Cart`     INT DEFAULT NULL COMMENT "shop_cart.ID currently active for this session",  `ID_Order`    INT DEFAULT NULL COMMENT "order ID to which cart was converted (if any)",  `Token`       VARCHAR(31)      COMMENT "session identifier passed as cookie = random string",  `WhenCreated` DATETIME         COMMENT "when session was created",  `WhenExpires` DATETIME         COMMENT "when session was due to expire",  `WhenClosed`  DATETIME         COMMENT "when the session was closed",  PRIMARY KEY(`ID`),  UNIQUE KEY(`Token`) ) ENGINE = MYISAM;