tags:

views:

40

answers:

2
+2  Q: 

To use, or not to use, session_set_save_handler?

I'm playing around with creating a user login system in php.

I have been studying this article (http://www.evolt.org/node/60384) as a way of approaching this.

In the above article, the author uses a combination of $_SESSION and his own custom database table for storing user info.

However...

I have also come across numerous articles that recommend using session_set_save_handler to configure php sessions to use the database natively. (Which I guess is a newer technique.)

I am wondering: If I am planning on setting up an "activeUsers" table in the database for recording session data anyhow, does it make more sense to use session_set_save_handler? (Seems if I'm using the database to store some session info anyhow, I might as well dispense with filesystem sessions.)

Or is there some advantage to leaving php sessions in their default filesystem form, and then x-checking user logins against my custom db table?

Thanks (in advance) for your help.

+1  A: 

Storing session data in a database can be a little tricky to setup at first, but once you have a class or function set up to do this, then you get a few potential advantages over filesystem storage. The question is whether or not those advantages are required for your system. These are, I think, amongst the most common reasons for storing session data in a database:

Security: If using shared hosting, session data may be held in areas of the disk that are accessible by other users of the system. This could constitute a security risk for your application.

Scalability: If your application is handled by more than one server (a server farm, for instance_, you need to ensure that multiple requests from the same client, which may be processed by different servers, each receive the same session data. This is quite easy to do if the session data is in a database.

Performance: Database storage may give a performance increase over filesystem storage, but this is heavily influenced by the server configuration.

DB interaction: Depending on the role of your session data, and how your application uses it, it may be easier to retrieve session data and related information if it is all in a database.

Something else to consider is that you can enhance the session information by storing additional information, such as IP addresses, log on and log off times, and so on. This sort of information can be useful when trying to prevent session hijacking.

So, other than the scalability issue, I think it's all quite subjective. You need to weight up the extra work required to implement database session storage, with the possible benefits.

Mike  2010-06-29 11:32:09
Thanks Mike for the response. Looking over those 4 reasons, none of them apply to my case. So I have no concerns with using conventional sessions - *except* - I am planning on creating a db table "activeUsers" anyhow. I am still unclear if it makes more sense to have the sessions use the database natively, if some user 'session' information is going to be going in the database either way.
Travis  2010-06-29 11:51:14
@Travis: It doesn't sound as though you *need* to store session data in a database, but your application could end up a little cleaner if you do. You could try the [Pear HTTP_Session2](http://pear.php.net/package/HTTP_Session2) package if you don't want to write your own handler.
Mike  2010-06-29 12:11:58
+1  A: 

If you use it you need to make your own garbage collector.

Codler  2010-06-29 11:46:15

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL