What things should be saved in SESSION and what should not be?

Question

I give one example why this question appears in my head: Lets say i create class 'PDOstart' which extends PDO class. On class 'PDOstart' all variables needed for PDO is defined on private section (like host, user, password and ect). So it makes very easy to use PDO class like:

$con = new PDOstart();
$con->query("SELECT ... ");

Because on my webpage I use only one DB I begin thinking why not add PDOstart object into SESSION? like: $_SESSION['db'] = $con; ? So i don't need on every page do "new PODstart". But I'm not sure that will be good idea...

Is there anything what i should avoid add to $_SESSION (for security or performance reason)?

Answer 1

user id so that every time the page loads you know what use is browsing, meta data such as timespan from page changes (Bot Detect), Local information, User template selection. anything that's required for that session really.

As you stated $con let me explain something.

There are several variable types in php and the main ones are:

• strings
• boolean's
• integer's
• objects
• arrays
• resources

Now you can store all of them into the sessions apart from resources, as there such things as file handles, connections to external entities there only open for the time it takes the page to be processed by PHP, then there closed.

the others are ok as there stored in the memory and are static as such, they will not change unless you programmatically change them.

The main entites you should store in the session are

• GUID: So that you can track what user is logged in.
• Flash Data: So if your doing a redirect you will be able to show a error message on the other page.
• Browser Data, so that you can compare that the browser that is currently browsing is the same as the last, this way you can kill the session fro security.

Things like Database Data such as User Rows should not be stored in the session and you should create a separate cache mechanism to do this for you.