Storing session in DB, why?

[eluser]arthurhanlon[/eluser]
Hi there,

Still learning here so apologies if this "seems" a dumb question to you.

Why store session data in the database if it's also stored in a cookie?

I though it was so that a session can be pulled back from the database at a later date BUT, if a user is given a different session ID every 5 minutes, how could you use the cookie session id to pull the actual session data from the DB as presumably he/she will have a different session id the next time they visit? Or am I totally misunderstanding what the session class is actually doing?

Thanks in advance,
Arthur

[eluser]tomdelonge[/eluser]
Normally, when you store the session in a database, there's still a cookie with an id in it. Then you use that id to lookup the session row in the db.

Storing session data in a db has several advantages. First, cookies have a limit as to how much you can store in it. Encrypting sessions in cookies makes it so you can only fit even less. Also, storing in the database prevents tampering (though if it's encrypted or you're checking against an ip address then there probably won't be a problem).

The only real advantage (that I can think of) for storing in a cookie instead would be to take workload off of the database.

You can also change how long sessions last and such in the config file, I think you're talking about the "time to update" variable, rather than the "time to expiration" variable.

Hope that helps...

[eluser]arthurhanlon[/eluser]
Thanks loads for that explanation, it's exactly what I thought but wasn't sure. I just have one more query about this though.

Session IDs are regenerated every 5 minutes so presumably, when the user revisits, he'll be assigned another session ID whcih will in turn overwrite the existing cookie stored on their machine not allowing you to grab the old session at all or am I missing something?

Arthur