2

I am thinking of implementing database-driven session management in PhP and have read on the session_set_save_handler function to specify the callbacks to be triggered on different session-based events. There is also the option to implement an interface. In fact there is a lot of info if you google around. I state all this because my question is not HOW to use session_set_save_handler() to implement a db-driven session management solution but rather HOW to implement the same functionality without using it.

What I was wondering is why go through the session_set_save_handler at all? How about an intermediate approach? Just use the session handling in PhP to get the session id and then using this as the key, one can implement a full CRUD functionality on session variables (of course, not connected to the $_SESSION array). For example, use another associative array as in $_DBSESSION. After session is started, get the session id and retrieve all rows in DB with this key and populate the $_DBSESSION array and when session is to be closed, this array is dumped, one record per array index into the database table after first deleting all entries with that session id. This write-to-db functionality can be in the register_shutdown_function() as it is done last when the program exits. Garbage cleanup can be done separately following whatever custom approach is needed.

This way, one can use the built-in $_SESSION array also conventionally along with the $_DBSESSION approach. This sounds a lot less complex than the use of the session_set_save_handler(). Also, the actual session creation in terms of cookie interface is still taken care of by PHP's session management.

QUESTION: Am I on the right track? Does this make sense?

Sunny
  • 9,245
  • 10
  • 49
  • 79
  • 1
    So basically you want to do everything that session_set_save_handler() does for you, but manually? – dkasipovic Mar 27 '14 at 17:57
  • 1
    `$_SESSION` is also a super global array. Meaning it can be accessed anywhere without needing to call `global` on it in every function/method scope. $_DBSESSION is not. If you wanted to go this route, you would be better off making a class called `DBSESSION` with static methods. Then only fetch db values when they are used. You could also get all once on first use. – Jonathan Kuhn Mar 27 '14 at 17:57
  • @D. Kasipovic I think that session_set_save_handler() is too generic in nature and really does not do a lot. There is also serialize/deserialization that you are avoiding. Since, with the session_set_save_handler() approach, you are not saving in the DB the value of each session variable separately (as I understand), any analysis outside the scope of the script will need additional work to deserialize this info. Am I wrong here? I do accept Jonathan Kuhn's observation of the lack of super-globalness of my custom $_DBSESSION variable. I am looking for such cons in my approach. – Sunny Mar 27 '14 at 18:05
  • I am looking for any problems that can occur without using session_set_save_handler. I am considering a web socket, where I handle multiple users with a single PHP script that is started via command line and accepts multiple connections. A global session variable would be really bad for this application since I do not want to leak data between users. If anyone has reasons that we should or must use session_set_save_handler, more info would be welcome. – Frank Forte Dec 21 '15 at 04:50
  • @Franke Forte I have moved to node.js and realized that PHP is just too archaic. Websockets, session management, authentication, webRTC, ORTC, etc... you need to move over to node.js to realize the full potential, integrate everything cleanly, and enjoy coding... It is difficult at first to deal with asynchronous programming but once you get over that, you will never look back... – Sunny Dec 21 '15 at 06:08

0 Answers0