Best library for PHP Sessions

Xeoncross picture Xeoncross · Jul 11, 2009 · Viewed 9.4k times · Source

I have been using the CodeIgniter system for a while now - but it has it's short comings. I am grateful for what it taught me, but now I need a library for a new non-codeigniter project and so I am looking around for ideas on which libraries have things right and which don't. I will probably have to take pieces from several libraries to get everything I need.

I just took a look a the Kohana PHP session library and I like how it returns to the native PHP way of using the $_SESSION superglobal instead of forcing a change to $this->session for data access.

At any rate, I wanted to know if there were other good session libraries out there I might be messing. There is a lot that must be handled in a session besides just CRUD functionally.

  • Support for NON-cookie based session passing (i.e. Facebook or Flash uploaders)
  • "Flash data" that only lasts for the next page load and then is auto-removed.
  • Works with $_SESSION or $this->session so that programmers don't have to change existing code.
  • Supports setting a new session id (i.e. session_id('new id')) in case you want to change the id mid-way through the page.
  • Saves all data at the end of the page request instead of each time data is added or removed (saves extra DB queries).
  • Supports using files, cookies, or Database for storage. (or memcached would be nice)
  • Attempts to deny access in case of a session hijack. (IP, useragent, or fingerprint)

I just spent some time going over the logic for the CodeIgniter and Kohana session libraries and I came up with the following on how each starts and ends sessions for the page.

/**************
** Kohana Sessions
**************/
If not native file storage {
    session_set_save_handler to the storage type (DB, cache, cookie...)
}

set the session_name() so php knows what cookie value to check

start session

/****** Saving ******/

session_write_close() which calls the given handler


/**************
** CI Sessions
**************/

Try to read_session() -> {
    session = Get cookie (if using cookies will also contain data)

    if(database) { 
        session .= pull data from database
    }

    checks if valid...

    $this->userdata = session data

} else { 
    create a new one
}

/****** Saving ******/

session data is serialized either way

if(cookie) {
    save cookie with serialized data and params like "last_activity"
}
if(database) {
    save serialized data in db and session in cookie
}

Answer

Stefan Gehrig picture Stefan Gehrig · Jul 11, 2009

Did you have a look at Zend_Session?

  • you can pass the session identifier via URL using PHP settings
  • you can expire certain session variables by time or by hops (requests)
  • migration into other apps won't be that easy and I think it's not very good when you mess with $_SESSION when you use Zend_Session
  • Zend_Session has an adpater based-approach for saving session data. A save-handler for DBs is included, but its architecture allows for custom handlers to be passed in.
  • Zend_Session supports validators to check the validity of a session. Here too we have an open architecture that allows you to pass in custom objects for validation.
  • you can lock a session, aka make it read-only
  • you can prevent the instantiation of multiple instances of the same session namespace
  • plus there is a lot more to discover with Zend_Session such as regenerating session ids, issue remember-me-cookies, revoke remember-me-cookies and so on.