OOP Object in Session, when not to?

Question

i'm wondering when should i not store Objects in Sessions?

i'm working on a user-driven system, and i need to define messages for example, after login "Welcome back User", or on wrong login information, and these messages they have a different types "error,succes,warning, etc..." so i created a controller for it, i create a new object from that Message class, attach it as Serialized to the View, and the view unserializes it, and then removes it from the session.

I'm just having a feeling that im making a mistake here, is it ok to use this method from a performance perspective, what security issues can be with it, and does the object remain in the server-side memory? or should i handle flushing it as well?

Answer 1

Terminology:

These types of behaviors are usually called message flashes. They are implemented by most web frameworks and by all web applications.

Some use objects to represent them, some just arrays. If your "message object" is not very complex there's no reason to think it would be performance burden.

Security:

On the side of security session data in PHP is kept serialized (you don't need to serialize it yourself) and stored in a file on the server hard-disk somewhere. It can be retrieved based on the session ID cookie (which PHP sets up whenever you use session_start()).

Your security concern relates to the security of session data in general -- not the security of messages stored in sessions so you can research the subject of session data security separately.

Design:

Storing messages in the session until they are displayed to the user (and then removing them from the session) is commonplace and you should not worry about security issues with this approach.

On the other hand most MVC frameworks will use one controller per page which means that creating a particular controller just for handling messages wouldn't make sense (unless your MVC uses multiple controllers to render a page).