2

Is there a more contemporary alternative to PHP session or is PHP session still the main choice to store information? I read this: https://pasztor.at/blog/stop-using-php-sessions. I'm still learning PHP and frankly, I'm quite clueless.

Richard
  • 7,037
  • 2
  • 23
  • 76
  • 2
    That's a weird article. That said, there are places where a session-less approach makes sense, like APIs. https://stackoverflow.com/questions/6068113/do-sessions-really-violate-restfulness – ceejayoz Feb 09 '19 at 02:58
  • This feels rather Opinion-based doesn't it? Or maybe Too Broad? – mickmackusa Feb 09 '19 at 03:09
  • 2
    it appears the author has limited understanding of session handlers, which aren't "workarounds" - because any shared resource should consider possible race conditions. – Martin Zeitler Feb 09 '19 at 03:12
  • 1
    The article is proposing a solution that is looking for a problem to solve. State is essential is some circumstances, and PHP's sessions is a good startpoint for most applications. As a learner, start with that, and when your needs dictate other means, learn about that. – YvesLeBorg Feb 09 '19 at 03:17
  • @YvesLeBorg Thank you for the advice. I needed a guideline of what to learn so that I can understand better more complex concepts. – Richard Feb 09 '19 at 03:32

2 Answers2

6

Your first assumption is incorrect. PHP Sessions are not where you store data. Databases, files, Document stores, etc. are where you store your data.

Session "data" is simply the variables included in the $_SESSION array in serialized form. You can run serialize() and unserialize() on variables to gain some insight into what these look like.

In your script, once you have started a session using session_start(), when you add change or delete variables in $_SESSION, php serializes this and stores it for you.

Once a session exists, and a user makes another request that is identified as being the same user (having the same session id) which has typically passed to the client via a cookie, then upon issuing session_start(), PHP reads the serialized data in the session file, and unserializes it, and stores it back into $_SESSION.

By default, PHP will store the individual session data as files on the filesystem. For a small or medium size application, this is highly performant.

So to be clear, what people store in PHP sessions is basically variables read out of whatever other persistent storage you might have, so that you can avoid doing things like re-querying a database to get the name and user_id for a user who has already logged into your application.

It is not the master version of that data, nor the place through which you will update that data should it change. That will be the original database or mongodb collection.

The article you posted has a number of stated and unstated assumptions including:

  1. Devops/Sysadmins just decide to reconfigure PHP applications to change the session handlers (misleading/false)
  2. The deployment involves a load balancer (possibly)
  3. The load balancer doesn't support or use sticky sessions

He then goes on into some detail as to several alternatives that allow for shared session handlers to solve the race conditions he describes

As you stated, you aren't clear yet what sessions actually are, or how they work or what they do for you. The important thing to know about PHP scripts is that they are tied to a single request and sessions are a way of not repeating expensive database reads. It's essentially variable cache for PHP to use (or not) when it suits your design.

At the point you have a cluster, as pointed out in the article people often store data into shared resources which can be a relational database, or any of many other backends which each have different properties that match their goals.

Again, in order to change the session handlers, there is typically code changes being made to implement the session handler functions required, and there are ways to code things that mitigate the issues brought up in the article you posted, for just about every persistence product that people use.

Last but not least, the problems described exist to whatever degree with pretty much any clustered serverside process and are not unique to PHP or its session mechanism.

gview
  • 14,876
  • 3
  • 46
  • 51
4

Usually, that will depends on the use case and other requirements of your application and most of the time people will use PHP frameworks to handle sessions.

Take for example, for Yii 2 framework, the framework provides different session classes for implementing the different types of session storage. Take a look at here https://www.yiiframework.com/doc/guide/2.0/en/runtime-sessions-cookies.

Learning the different types of sessions available out there, allows you to be able to make decisions by weighing the pros and cons. You can also read here for more understanding https://www.phparch.com/2018/01/php-sessions-in-depth/

Kmye
  • 119
  • 7