5

does any body have any info/links as to how to integrate a cookie based session system? i've used file/mysql, and am currently using memcached. i wanted to play with apc sessions, but thought i'd give a go at cookies, only i don't know much about it.

i imagine i'd have to write my own session handler class?

Improve this question
4
  • I'm not sure I follow. You mean storing session data in cookies? Is that a good idea? Commented Jan 11, 2010 at 19:07
  • Please note that cookies can only store a maximum of 4KB of data. This is generally why you do not see cookie based session storage. Also take into consideration that a number of users have cookies turned off entirely or set to restrictive access with their browsers security policy. Commented Jan 11, 2010 at 19:09
  • 1
    @cballou: Regular old sessions usually use cookies too. They just store the SESSID though, and the rest of the data is stored on the server. Although I think PHP will try stuffing the SESSID into the GET param if cookies are disabled. Commented Jan 12, 2010 at 3:01
  • @Pekka yes, it's a good idea if you have a very high volume site @cballou ya i know about that restriction.. note that 'a number of users' having cookies off is fairly invalid. less than 1% of visitors do, and most of the time, those are bots Commented Jan 13, 2010 at 17:18

1 Answer 1

Reset to default
5

In PHP session data is usually stored in a file. The only thing stored in the cookie is a session identifier. When sessions are enabled and a valid session cookie is found, PHP loads the users session data from the file into a super global called funnily enough SESSION.

Basic sessions are started using session_start(); called before any text is sent to the browser. then items are added to or removed from the session object using simple array indexing eg.

$_SESSION['favcolour'] = 'blue';

later...

$favcolour = $_SESSION['favcolour'];

basic cookie only sessions (no local storage) can be created with a call to

 set_cookie('favcolour','blue'[,other params]);

before any text is sent to the browser, then retrieved from the cookie superglobal

$favcolour = $_COOKIE['favcolour'];

you don't need to call session_start() if doing cookie only sessions.

the optional [,other params] are more advanced and can be read about here http://www.php.net/manual/en/function.setcookie.php

Sessions can become a very complex discussion, I'd suggest doing some light work in them and then expand your knowledge.

DC

all you ever wanted to know about PHP sessions

http://www.php.net/manual/en/book.session.php

DC

To reuse PHP's session handling code you will need to add a write handler using session_set_save_handler and then do exactly nothing in that handler. That's because its called after the output to the browser is closed therefore you cannot send anything to the browser.

Before writing non header data to the browser use the set_cookie functions and store the contents of the $_SESSION array (after serialising and encrypting) into a cookie. when the applications start you can read the cookie unserialise it and put it into the $_SESSION array.

That's a quick hint at what to do as I have never done it, I prefer to write all my own cookie code. There may be some gotcha's but its not hard a few tests should find any gotcha's.

DC

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

I probably wouldn't go cookie-only though, especially if you don't want users to tamper with (or read) the data.
if you have a very busy website file based sessions are too resource intensive. but if I wanted security above all else I'd use a db, because files can be read.
i dont need to know how to use sessions. i fully understand that. cookie based sessions (not identifier storage in cookies) is a valid technique that minimizes the number of server db/file/cache lookups, and stores all the data for a session in an encrypted cookie. i guess no one here understands what i mean.
The second part of the above answer ("basic cookie only sessions") shows you how to use cookies for a "browser session" ie it lasts till the user closes the browser. the encryption is up to you. This method uses no db/file/cache lookup
BTW if you have more than 4k worth of data (varies with browser) then it will fail.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.