Best library for PHP Sessions

Question

I have been using the CodeIgniter system for a while now - but it has it's short comings. I am grateful for what it taught me, but now I need a library for a new non-codeigniter project and so I am looking around for ideas on which libraries have things right and which don't. I will probably have to take pieces from several libraries to get everything I need.

I just took a look a the Kohana PHP session library and I like how it returns to the native PHP way of using the $_SESSION superglobal instead of forcing a change to $this->session for data access.

At any rate, I wanted to know if there were other good session libraries out there I might be messing. There is a lot that must be handled in a session besides just CRUD functionally.

• Support for NON-cookie based session passing (i.e. Facebook or Flash uploaders)
• "Flash data" that only lasts for the next page load and then is auto-removed.
• Works with $_SESSION or $this->session so that programmers don't have to change existing code.
• Supports setting a new session id (i.e. session_id('new id')) in case you want to change the id mid-way through the page.
• Saves all data at the end of the page request instead of each time data is added or removed (saves extra DB queries).
• Supports using files, cookies, or Database for storage. (or memcached would be nice)
• Attempts to deny access in case of a session hijack. (IP, useragent, or fingerprint)

I just spent some time going over the logic for the CodeIgniter and Kohana session libraries and I came up with the following on how each starts and ends sessions for the page.

/**************
** Kohana Sessions
**************/
If not native file storage {
    session_set_save_handler to the storage type (DB, cache, cookie...)
}

set the session_name() so php knows what cookie value to check

start session

/****** Saving ******/

session_write_close() which calls the given handler


/**************
** CI Sessions
**************/

Try to read_session() -> {
    session = Get cookie (if using cookies will also contain data)

    if(database) { 
     session .= pull data from database
    }

    checks if valid...

    $this->userdata = session data

} else { 
    create a new one
}

/****** Saving ******/

session data is serialized either way

if(cookie) {
    save cookie with serialized data and params like "last_activity"
}
if(database) {
    save serialized data in db and session in cookie
}

Answer 1

Did you have a look at Zend_Session?

• you can pass the session identifier via URL using PHP settings
• you can expire certain session variables by time or by hops (requests)
• migration into other apps won't be that easy and I think it's not very good when you mess with $_SESSION when you use Zend_Session
• Zend_Session has an adpater based-approach for saving session data. A save-handler for DBs is included, but its architecture allows for custom handlers to be passed in.
• Zend_Session supports validators to check the validity of a session. Here too we have an open architecture that allows you to pass in custom objects for validation.
• you can lock a session, aka make it read-only
• you can prevent the instantiation of multiple instances of the same session namespace
• plus there is a lot more to discover with Zend_Session such as regenerating session ids, issue remember-me-cookies, revoke remember-me-cookies and so on.

Answer 2

Hi,

You can use this in CI:

http://codeigniter.com/wiki/EckoSession/

Regards, Pedro

Answer 3

Ok, After digging through the custom, non-$_SESSION-based codeigniter lib, the two Kohana and Zend libs (which use $_SESSION), and several other session libraries from other projects I believe that I build the answer to my problem. Something that satisfies all of the things I listed above (except flash data).

Here is the code if anyone wants to use it or read it while building their own library. I left a lot of comments thoroughly explaining the whole thing and would love to have some feedback on it. It supports tokens, flash based uploaders, cookies, session regeneration every 5 mins (or whatever you set) with removal of old sessions, and support for storing sessions in any database, the file system, memchache, or any other form that you want to set.