views:

594

answers:

5

What options are there to implement an own session management in PHP?

Is there a nice way to implement a component which performs all session tasks? How can i construct a class which receives the HTTP Request and Response during one request process? I only found the option "session_save_handler" which seems to define the storage handler. What I need is to replace the whole session management. Is there another way using the PHP configuration or do I have to implement my own controller which receives all requests and calls my session management?

Thanks for your help

Regards Michael

A: 

Using the session_save_handler() function allows to handle how the session information is stored and retrieved.

By default PHP stores the session information in temporary files located somewhere on your web server. You can define callback functions using the session_save_handler() function where you can have this information stored in a database table instead.

Even if you handle sessions with your own defined functions with the session_save_handler() function you would still access the information with the superglobal variable $_SESSIONS.

The session_save_handler() function seems not sufficient to me. I need to implement my own ID-generation, -invalidation and so on. Therefore not only the storage of sessions has to be changed but the whole session management itself.
Michael S
A: 

Hi,

Check out this page from the php online manual. Has lots of useful information with regards to your question. Hope it helps.

Martin Chiteri
I already found this page, anyway it is about session storage management and not about session management itself - as stated in the comment on JRSofty's post!
Michael S
+1  A: 

I am not sure, what you want to achieve. It seems more like you want to abstract away from the $_SESSION variable than that you want to change the storage.

Take a look at the way the Zend or the Solar framework handle the Session access.

http://www.phpeveryday.com/articles/Zend-Framework-Session-Introduction-P571.html http://solarphp.org/manual:sessions

How can i construct a class which receives the HTTP Request and Response during one request process?

I don't know, what you mean by receiving the response, but the frameworks have front-/page-controllers which route to the chosen action, then call a method that can access the Session (read/write) and Request (read) objects and generates a Response object which is then rendered through a template.

For automatic testing you can construct your own Request and Session objects and pass them to the page controller.

GrGr
"It seems more like you want to abstract away from the $_SESSION variable than that you want to change the storage." - Thats not exactly what I want. The best solution would be if I could go on using $_SESSION but in the background my SessionManagement is called instead of PHP's original one.Another example would be session_start() - which initializes MY SessionManagement. Does PHP offer an interface and a configuration possibility for that?
Michael S
I have never used it, but the first callback argument for session_set_save_handler() is the one that is called on session_start(). So you could plug in your session_id() generation there. To register the methods of an object with ession_set_save_handler() take a look here.http://www.mt-soft.com.ar/2007/12/21/using-a-mysql-database-to-store-session-data/
GrGr
+2  A: 

No, I'm sorry to say, there is no interface to switch the built in 'modules' to your own. There are some hooks ( e.g: session_save_handler(), set_error_handler() ), and that's unfortunately it.

The $_SESSION is a 'super global' and should IMO not be set directly either way if you're working on a bigger projects. Then it would be better to use a custom class responsible for handling sessions. Will make the code easier to debug and such on.

Stojg
Could you elaborate as to why it shouldn't be directly set (assuming any data entered by client has been sanitized)?
Sev
Global state is a very dangerous thing when you programming. That is when a lot of code from various locations can change the 'State' of the applications without you having any good way of telling which code fragment doing it. It will be a hassle to debug. If you're using a class as an entry point, you can at least be sure to trap errors when they entering the system.Have a look at how Misko Hevery explains it in a better way than I am:http://www.youtube.com/watch?v=-FRm3VPhseI
Stojg
+1  A: 

You said it yourself in one of the comments. Just wrap the $_SESSION in a class. I don't think you can replace it, but you can certainly build your own interface to it.

You could, for example. Build a class that is constructed first thing and call session_start() inside the constructor

David Archer