Call us Toll-Free:
Email us


PHP session.save_handler and Database sessions debunked

Mike Peters, 06-09-2009
PHP sessions are a great way to store user-specific information, throughout a given period of time while the user is interacting with your website.

Common examples where sessions come in handy:

1. User logs in to your website and you use sessions to store the user-id, user-email, user-name, while the user is logged-in, so that those can be clearly displayed on all pages and used to validate the user is still logged-in.

2. User begins a checkout process. On step 1 the user provides their name and emailaddress. On step 2 they provides payment information. On step 3, all information is retrieved from session variables and the order is processed.

3. Referring affiliate ID is stored in a session, so that once an order is processed, the referring affiliate can be credited a referral commission.

3 methods to handle sessions in PHP:

PHP offers three methods to handle sessions. You can control which method is used by either updating your php.ini session.save_handler, or by calling session_set_save_handler

== Method 1: Files

This is the default storage method for PHP, where session variables are serialized and written to a session file. (typically under your /tmp folder)

While this approach is fast, it doesn't work when you have more than a single web server.

If a user starts their session on webserver1 and then ends up landing on webserver2, the session information will not be found (it is stored as a local file on webserver1).

If you do choose to use file-based session handling, be sure to monitor your tmp folder regularly for any unusual session files build-up

Issue this command to count how many session files you have at any present moment:

-la /tmp/ | grep sess_ | wc -l

== Method 2: mm

The memory management storage method allows session variables to be stored in Apache's runtime memory. Using memory has the advantage of better performance than files on disk. However, if many sessions must be supported, and each session uses a large volume of data, the memory used by the Apache process may be high. To use memory to store session variables, Apache must be configured and compiled to use an installed memory management module (--with-mm).

We don't recommend using this approach.

== Method 3: user

The user-defined method allows an application to save session variables to systems other than file or memory, such as to a table in a database. By defining several handler prototypes, PHP allows the developer to define the behavior of the low-level session management. A full explanation is given in the next section.

This is the recommended approach to handle high-volume multi-server architecture.

One big caveat with 'user' type sessions, which is very poorly documented, is that once you setup your session.save_handler=user in php.ini, PHP expects you call session_set_save_handler before any call to session_start(). If you fail to do so, PHP will issue a fatal error and script execution stops.

Database Sessions with Memcached:

Working with high-load, high-redundancy, multi-server server architectures, the approach that works best is using a combination of database-sessions with memcached.

Session information is stored in a database (so that it is visible to all webservers) as well as in distributed Memcached servers.

When session information is needed, PHP will first look-up the session in Memcached. If not found, PHP will then access the database to retrieve the session and immediately store it in Memcached for future access.

Read this article for a complete step-by-step tutorial on implementing database sessions with memcached for PHP.

Import tips about forcing 'user' session handler:

In order to implement database sessions with memcached, we need to tell PHP we'd like to use our own 'user' session save_handler.

To do that, we have to call session_set_save_handler and pass callback information for the custom session-handling functions.

The manual also advises setting php.ini session.save_handler=user, so that no sessions are ever stored as files.

The issue is that if you set php.ini session.save_handler=user and forget including a call to session_set_save_handler before calling session_start(), PHP will issue a fatal error and script execution stops.

This may not be an issue for most of you as long as you control all php scripts on your server and have no client virtual-hosts that are outside your control.

In our case, we often provide clients with a tiny utility script to include, that utilizes sessions. We want to force this script to use database-level sessions when running on one of our servers, but allow easy porting of the script to other offsite servers that may use file-based sessions.

To implement this, we keep session.save_handler=files in php.ini and include this line at the top of our script:

// Include our database+Memcached session handler (if found)
if (file_exists("/home/admin/htdocs/dbsession.php"))
// End include

If our dbsession.php is found, it is included and calls session_set_save_handler to turn on the smart database+memcached session handling.

Otherwise (running on an offsite machine), the server reverts to the default file-based session handling.
Enjoyed this post?

Subscribe Now to receive new posts via Email as soon as they come out.

Post your comments

Note: No link spamming! If your message contains link/s, it will NOT be published on the site before manually approved by one of our moderators.

About Us  |  Contact us  |  Privacy Policy  |  Terms & Conditions