What is the recommended approach to use PHP session objects on a high traffic site?

Question

I am currently working on a website that has high traffic by my standards. It's a webshop and has a few (serialized) objects in it's session.

E.g.

$_SESSION['shoppingcart'] = new Shoppingcart();

And this object is later used throughout the code. So far no problem. The session duration is 1 hour at the moment and is extended when users keep it alive by making requests.

Now for the (probably well known) problem: When making a change to the Shoppingcart class in the example there is a chance that the change breaks the deserializing of the object. What can we do to prevent this problem? What is the recommended approach?

• We can keep values in the database and only use a primitive int inside the session to identify the primary key.

• We can use some array conversion from the object.

• ?

Answer 1

There is a good chance there is an expert here that has a better answer, but for now I will share what I found.

Given all these potential problems, I strongly advise against storing objects in the session. If you want to persist the logged in user, instead of storing an instance of a User class in $_SESSION, just store the user ID and populate the user object from the database or cache. It’s a little more work than letting PHP magically handle everything for you, but your application will be much more stable and portable without object serialization.

source: https://www.phparch.com/2018/01/php-sessions-in-depth/