Are there limitations in PHP session handling?

Question

I've seen many sites give up the use of the default handling of sessions in PHP for their own method and I still have no clue why.

They are definitely running PHP and it just seems pointless to me that people would design their own method. Is there some sort of limitation that I do not know of or is it purely so they have control of everything?

(I tried asking them and yeah they either didn't have a way of contacting them or they "saw something somewhere against using PHP sessions" without knowing what it actually was)

Answer 1

1) Session are still widely used. They works and do the work, so there is not point to change it unless a special case.

2) However, Session is weak, it relies in a single PHP (that can be stolen). However, it is possible to protect a session using different method such cookie + ip + expiration.

So yes and no. Session are still widely used but require a fine tune.

Answer 2

Well with the standard setup you are tied to using the file system, saving session data unencrypted etc.

Writing your own session handling using session_set_save_handler you can adjust the sesssion management to your needs ... applying encryption, saving session in a database, synchronizing the sessions with separate software systems ...

Answer 3

I would have thought a principal reason for rolling your own session-handling functionality is for the purposes of testing. If you're running unit tests, you won't necessarily have a browser environment going. You won't be able to set cookies, and so PHP won't set $_SESSION variables for you.

If, however, you wrote your own session handling class(es), then you could create a mock class for running unit tests. The object would behave like a "real" session, but you won't have to faff about with browsers, cookies and human beings.

Answer 4

Default sessions are stored on the hard drive, usually in the /tmp directory. When your site gets larger, 1 computer isn't sufficient to run it. Therefore, people resort to load balancing (among other solutions).

Load balancer effectively switches between a cluster of computers. Therefore, if by any chance you got served by computer #1 on your first request and then by computer #2 at your second request - the second computer cannot read the session since it's not in its /tmp folder.

This is a simplified scenario of course since there's much more to application scaling but this is one of the reasons why people resort to overriding the default session mechanism.

The other thing of interest is storing sessions in the db thus making them searchable and what not. You can also create an interface for effectively forcefully logging people out, which is something that the default mechanism cannot provide.