[PHP] - Why forums don't use $_SESSION variables ?
Posted by hadoken, 03-13-2007, 02:46 PM Hello, I hope everybody is fine. I take a look on some script forums like phpbb and punbb and they never use $_SESSION variables for keeping a connection or users preferences. Instead of use $_SESSION, they make some query to the database (each time a new page is displayed) in order to have the user data preferences. Does it really good for a server or a database ? Well, I am sure they now what are they doing, but I can't find any explanation why there are using this method (database query) instead of $_SESSION in order to keep some data user preferences during a connection. If someone have some answers, I 'll be glad to hear any explanation. Thank you very much and have a great day. Best regards, Hadoken PS : sorry for my english
Posted by TonyB, 03-13-2007, 03:08 PM Well there are a few reasons - If there is more than one web server $_SESSION becomes more complicated (they'd need a shared session store path) - Security (some feel that sessions stored by the web server are not secure). - Possibily faster - The ability to see who's online requires a way to access the data so a database helps in that respect. Of course there are ways to still use the $_SESSION var without storing the sessions as files on the web server. You can use session_set_save_handler()
Posted by Archbob, 03-13-2007, 03:53 PM It you've programmed a forum, you'd understand why, running chipmuk-scripts and programming all sorts of stuff, it gets complicated with session arrays, its much simplier just to query the database for user preferences.
Posted by Engelmacher, 03-13-2007, 06:16 PM Internet forums are rarely well-coded by experienced engineers as the never-ending stream of popular exploits will attest to. Most of them are learn-as-you-go endeavors on the part of some kids who just picked up a copy of "Teach Yourself PHP in 30 Days!" and if you try to make sense out of very many of their design related decisions, you'll go crazy. This is not to say that $_SESSION is the end-all-be-all solution to every problem, just don't go digging too deep for answers in forum packages.
Posted by Ks Jeppe, 03-14-2007, 11:06 AM http://phpsec.org/projects/guide/4.html From what i can see, and have been told, it's normally done due to older php insecurity (for example with register globals on) If you're running php 4.2 or later, and have it somewhat secured, then i don't really see a problem with using sessions
Posted by hadoken, 03-17-2007, 09:23 AM Hello, Sorry for the late. First, thank you very much for your answers and the provided link, were very helpful. Ok I am starting to understand why they use database for some query's. It's sure it's look like simplier but what about performance ? If I have 10.000 users connected at the same time, what is the best to do ? Make a minimum of 10.000 request to the database or store 10.000 session on the tmp directory ? Thank you very much. Besy regards, Hadoken
Posted by ergo, 03-17-2007, 10:00 AM its not like this, forums DO use sessions to store SOME variables ( at least php do), some should not, for SEO etc... as for your system when you have lots of users you would need to probably have some custom solution that would utilise caching data etc. as for 10000 users then you need load balancers and few servers ;-)
Posted by brianoz, 03-25-2007, 10:11 AM Sessions are definitely faster - a single file being opened, compared to many for a database - simply has to be faster.
Posted by TonyB, 03-25-2007, 11:43 AM Most forum software are setting their sessions table as a memory based. So it is not really opening files on the database server. Last edited by TonyB; 03-25-2007 at 11:47 AM.