Is there currently - or has there ever been - any serious or significant problem with PHP's built-in session handling? I mean, it's always worked for me and my projects. But I see some codebases and frameworks out there seem to use a custom handler. Is this reinventing the wheel? Or improving on some flaws? What flaws?

<h3>Pros and cons of PHP's built-in session handler</h3> <ol> <li> Pros: <ol> <li>Easy to use (just use <code>session_start()</code> and you're done)</li> <li>Available OOTB.</li> </ol> </li> <li> Cons: <ol> <li>Uses only SESSID (or SID, SESSIONID, etc.) cookie to recognize user. That's not much, and this information can be easily stolen using XSS attacks or something like that.</li> <li>In most cases you aren't able to do things like get total count of active sessions (often used in Who's online? features)</li> </ol> </li> </ol> <h3>Pros and cons of your own session handler</h3> <ol> <li> Pros: <ol> <li>Works in the way you want it to work</li> <li>Total control over how do you recognize users. You can use cookie, IP address, browser signature to make sure that stealing session is impossible (or at least it's much harder task).</li> <li>You can chose the place where the session data is stored (database/filesystem)</li> <li>You've got control over session mechanism as a whole</li> </ol> </li> <li> Cons: <ol> <li>You have to spend several minutes to create a such handler</li> </ol> </li> </ol>

<blockquote> Is there currently - or has there ever been - any serious or significant problem with PHP's built-in session handling? </blockquote> No problems with the built-in handlers. Access and deletion of old session files are implemented well. <blockquote> Is this reinventing the wheel? Or improving on some flaws? What flaws? </blockquote> File based session handling works fine for single server websites. Problems may arise when applications need to be run on multiple servers (scaled out). A master database can be used to store and provide session information across multiple servers. This can make things easier when an application is scaled out. Custom session handlers can be used to interact with the database.

Why not use PHP's built-in session handling?

Is there currently - or has there ever been - any serious or significant problem with PHP's built-in session handling?

I mean, it's always worked for me and my projects.

But I see some codebases and frameworks out there seem to use a custom handler. Is this reinventing the wheel? Or improving on some flaws? What flaws?

Should I use session PHP?

State is essential is some circumstances, and PHP's sessions is a good startpoint for most applications. As a learner, start with that, and when your needs dictate other means, learn about that.

How can I set session on all pages in PHP?

A PHP session is easily started by making a call to the session_start() function. This function first checks if a session is already started and if none is started then it starts one. It is recommended to put the call to session_start() at the beginning of the page.

How session and cookies are used for session management in PHP?

PHP provides a cookie-based implementation for session management. The $_SESSION array is used for storing session data. PHP automatically generates a session ID and sends a session cookie containing this session ID to the client machine.

How can I use Session Management in PHP?

Start a PHP SessionA session is started with the session_start() function. Session variables are set with the PHP global variable: $_SESSION.

Pros and cons of PHP's built-in session handler

Pros:
1. Easy to use (just use session_start() and you're done)
2. Available OOTB.
Cons:
1. Uses only SESSID (or SID, SESSIONID, etc.) cookie to recognize user. That's not much, and this information can be easily stolen using XSS attacks or something like that.
2. In most cases you aren't able to do things like get total count of active sessions (often used in Who's online? features)

Pros and cons of your own session handler

Pros:
1. Works in the way you want it to work
2. Total control over how do you recognize users. You can use cookie, IP address, browser signature to make sure that stealing session is impossible (or at least it's much harder task).
3. You can chose the place where the session data is stored (database/filesystem)
4. You've got control over session mechanism as a whole
Cons:
1. You have to spend several minutes to create a such handler

Is there currently - or has there ever been - any serious or significant problem with PHP's built-in session handling?

No problems with the built-in handlers. Access and deletion of old session files are implemented well.

Is this reinventing the wheel? Or improving on some flaws? What flaws?

File based session handling works fine for single server websites. Problems may arise when applications need to be run on multiple servers (scaled out). A master database can be used to store and provide session information across multiple servers. This can make things easier when an application is scaled out. Custom session handlers can be used to interact with the database.

Why not use PHP's built-in session handling?

Tags:

php

session

Dougal

People also ask

2 Answers

Pros and cons of PHP's built-in session handler

Pros and cons of your own session handler

Crozin

webbiedave

Recent Activity

Donate For Us

Why not use PHP's built-in session handling?

Tags:

php

session

Dougal

People also ask

2 Answers

Pros and cons of PHP's built-in session handler

Pros and cons of your own session handler

Crozin

webbiedave

Related questions

Recent Activity

Donate For Us