Why not use PHP's built-in session handling?

Question

Is there currently - or has there ever been - any serious or significant problem with PHP's built-in session handling?

I mean, it's always worked for me and my projects.

But I see some codebases and frameworks out there seem to use a custom handler. Is this reinventing the wheel? Or improving on some flaws? What flaws?

Answer 1

Pros and cons of PHP's built-in session handler

1. Pros:

   1. Easy to use (just use session_start() and you're done)
   2. Available OOTB.

2. Cons:

   1. Uses only SESSID (or SID, SESSIONID, etc.) cookie to recognize user. That's not much, and this information can be easily stolen using XSS attacks or something like that.
   2. In most cases you aren't able to do things like get total count of active sessions (often used in Who's online? features)

Pros and cons of your own session handler

1. Pros:

   1. Works in the way you want it to work
   2. Total control over how do you recognize users. You can use cookie, IP address, browser signature to make sure that stealing session is impossible (or at least it's much harder task).
   3. You can chose the place where the session data is stored (database/filesystem)
   4. You've got control over session mechanism as a whole

2. Cons:

   1. You have to spend several minutes to create a such handler

Answer 2

Is there currently - or has there ever been - any serious or significant problem with PHP's built-in session handling?

No problems with the built-in handlers. Access and deletion of old session files are implemented well.

Is this reinventing the wheel? Or improving on some flaws? What flaws?

File based session handling works fine for single server websites. Problems may arise when applications need to be run on multiple servers (scaled out). A master database can be used to store and provide session information across multiple servers. This can make things easier when an application is scaled out. Custom session handlers can be used to interact with the database.