14. Session HandlingIN CHAPTER 13, "USER AUTHENTICATION AND SESSION Security," we discussed authenticating user sessions. In addition to being able to determine that a sequence of requests are simply coming from the same user, you very often want to maintain state information for a user between requests. Some applications, such as shopping carts and games, require state in order to function at all, but these are just a subset of the expanse of applications that use state. Handling state in an application can be a challenge, largely due to the mass of data it is possible to accumulate. If I have a shopping cart application, I need for users to be able to put objects into the cart and track the status of that cart throughout their entire session. PHP offers no data persistence between requests, so you need to tuck this data away someplace where you can access it after the current request is complete. There are a number of ways to track state. You can use cookies, query string munging, DBM-based session caches, RDBMS-backed caches, application serverbased caches, PHP's internal session tools, or something developed in house. With this daunting array of possible choices, you need a strategy for categorizing your techniques. You can bifurcate session-management techniques into two categories, depending on whether you store the bulk of the data client side or server side:
We have looked at many session-caching mechanisms in the previous chapters, caching various portions of a client's session to mete out performance gains. The principal difference between session caching as we have seen it before and session state is that session caching takes data that is already available in a slow fashion and makes it available in a faster, more convenient, format. Session state is information that is not available in any other format. You need the session state for an application to perform correctly. |