Best library for PHP Sessions
I have been using the CodeIgniter system for a while now - but it has it's short comings. I am grateful for what it taught me, but now I need a library for a new non-codeigniter project and so I am looking around for ideas on which libraries have things right and which don't. I will probably have to take pieces from several libraries to get everything I need.
I just took a look a the Kohana PHP session library and I like how it returns to the native PHP way of using the $_SESSION superglobal instead of forcing a change to $this->session for data access.
At any rate, I wanted to know if there were other good session libraries out there I might be messing. There is a lot that must be handled in a session besides just CRUD functionally.
- Support for NON-cookie based session passing (i.e. Facebook or Flash uploaders)
- "Flash data" that only lasts for the next page load and then is auto-removed.
- Works with $_SESSION or $this->session so that programmers don't have to change existing code.
- Supports setting a new session id (i.e. session_id('new id')) in case you want to change the id mid-way through the page.
- Saves all data at the end of the page request instead of each time data is added or removed (saves extra DB queries).
- Supports using files, cookies, or Database for storage. (or memcached would be nice)
- Attempts to deny access in case of a session hijack. (IP, useragent, or fingerprint)
I just spent some time going over the logic for the CodeIgniter and Kohana session libraries and I came up with the following on how each starts and ends sessions for the page.
/**************
** Kohana Sessions
**************/
If not native file storage {
session_set_save_handler to the storage type (DB, cache, cookie...)
}
set the session_name() so php knows what cookie value to check
start session
/****** Saving ******/
session_write_close() which calls the given handler
/**************
** CI Sessions
**************/
Try to read_session() -> {
session = Get cookie (if using cookies will also contain data)
if(database) {
session .= pull data from database
}
checks if valid...
$this->userdata = session data
} else {
create a new one
}
/****** Saving ******/
session data is serialized either way
if(cookie) {
save cookie with serialized data and params like "last_activity"
}
if(database) {
save serialized data in db and session in cookie
}
Answer
Did you have a look at Zend_Session?
- you can pass the session identifier via URL using PHP settings
- you can expire certain session variables by time or by hops (requests)
- migration into other apps won't be that easy and I think it's not very good when you mess with
$_SESSIONwhen you useZend_Session Zend_Sessionhas an adpater based-approach for saving session data. A save-handler for DBs is included, but its architecture allows for custom handlers to be passed in.Zend_Sessionsupports validators to check the validity of a session. Here too we have an open architecture that allows you to pass in custom objects for validation.- you can lock a session, aka make it read-only
- you can prevent the instantiation of multiple instances of the same session namespace
- plus there is a lot more to discover with
Zend_Sessionsuch as regenerating session ids, issue remember-me-cookies, revoke remember-me-cookies and so on.