PHP - Default session handling vs. custom session handling

Question

Hi all. I have never tried a custom session handler so far in PHP, and with me thinking of picking up a framework (either CodeIgniter or Kohana), I see that there is an option to use a pre-built custom session handler. What are the pros and cons of going to a system in which session data is stored in the DB? In what ways does a custom session handler improves security and maintainability?

One pro which I can think of if you are on a shared webhost, and the webhost's temp folder is full, an attempt to open a session may fail. However, if the webhost's MySQL goes away, it's as equally futile.

Would appreciate any advice or guidelines. Thanks!

Answer 1

If you dig a little deeper into PHP’s default session handling, you will probably discover some things that are inaccurate in some way. Just like the session lifetime that actually is quite important but can be inaccurate in some cases (see How long will my session last? and How do I expire a PHP session after 30 minutes?).

So it might be necessary to implement your own session handler that does fixes this inaccuracy.

Other reasons can be security and performance. PHP’s default session handler uses files that could be accessed by others, be it intentionally or unintentionally. Using a protected database can make your data more secure and its caching abilities could speed things up. You could also use chaches like memcached to increase the access times even more.