Welcome Guest, Not a member yet? Register   Sign In
Session Handling: Which Should I Choose?
#1

[eluser]Nalorin[/eluser]
Hi All,


I need to implement sessions into my web application and am having a difficult time deciding which method of handling sessions I should choose. I need to make the decision based on the following information:

Estimated site statistics:
- Average site traffic of ~40K page hits/day
- Peak site traffic of ~200K page hits/day
- Number of registered users: between 150K and 350K
- Services up to ~4M people, Canada-wide (about 10% of population)

Desired application characteristics:
- Fast & Efficient
- No SSL
- Level of security: moderate+
- Ease of implementation: moderately easy
- No sensitive data stored in cookies (preferably)

---

I know that I have a few options to meet my needs with sessions: Native PHP sessions, CodeIgniter Sessions (database or encrypted cookies), and CodeIgniter Native_session, to name a few.

What suggestions would you make regarding sessions for my application and why?

Or, if you don't have any suggestions, what pros/cons can you point out about the implementations listed above or suggested in responses below?

Thanks in advance for your help and input!
#2

[eluser]oldblueday[/eluser]
Nalorin,

I'm very new to CI myself, but I can give you my experience. I used the CodeIgniter Native_Sessions. The data I needed to store quickly exceeded the 4 kb limit of a cookie, which made the CI class not an option. Plus I am still not sure why I'd want to store session data in a cookie.

I did, however, like the CI session syntax - and the fact that someone already wrote the library for me. It worked out very well.

Good luck - sounds like a huge project,

- Rahul
#3

[eluser]Nalorin[/eluser]
Thanks for the response, Rahul.

Yeah - it's a big project, for a business that I want to get off the ground before the end of this month, and since I found and read the Native_session page, I have been leaning more toward that session handler library.

I'm just curious if that option is really as good as it seems, or if there are aspects of the other options that I'm missing out on that make them better choices.
#4

[eluser]oldblueday[/eluser]
Well, the scale of my site is a few students every couple of weeks, not nearly as big as yours. However, I really liked how easy this was to implement. I was going to write my own native PHP sessions library or helper, but this handled it pretty well. Good luck, my friend.
#5

[eluser]WanWizard[/eluser]
[quote author="oldblueday" date="1282040397"]Nalorin,

I'm very new to CI myself, but I can give you my experience. I used the CodeIgniter Native_Sessions. The data I needed to store quickly exceeded the 4 kb limit of a cookie, which made the CI class not an option. Plus I am still not sure why I'd want to store session data in a cookie.[/quote]

Have you read the user guide on sessions? The sessions library is built to use the database for session storage, the cookie version is a fallback for sites that don't use a database at all. Absolutely no need to fool around with other session libraries (which are made for old CI versions that didn't have database support).
#6

[eluser]oldblueday[/eluser]
Mr Wizard,

I did read the User Guide. I thought using a database for what I was doing was overkill. Are there reasons I wouldn't want to use PHP's native sessions and use a cookie or database instead?

Thanks,

RP
#7

[eluser]n0xie[/eluser]
http://stackoverflow.com/questions/20451...e-sessions
#8

[eluser]Nalorin[/eluser]
[quote author="WanWizard" date="1282051007"]Have you read the user guide on sessions? The sessions library is built to use the database for session storage, the cookie version is a fallback for sites that don't use a database at all. Absolutely no need to fool around with other session libraries (which are made for old CI versions that didn't have database support).[/quote]

Yes, I have read the user guide on sessions - that's the reason I'm asking this question.

I find the idea of using databases (which add in connection times) to be less than appealing since I'm using a shared hosting solution.

I would rather not save session data on the user's computer, aside from the session identifier and maybe some non-sensitive data. I will need a shopping cart system for my application (which I failed to mention) and it will need to frequently store more than 4K of data, I'm almost certain.
#9

[eluser]danmontgomery[/eluser]
[quote author="Nalorin" date="1282088063"]I find the idea of using databases (which add in connection times)[/quote]

You're talking milliseconds at most. If you're doing something that requires sessions chances are you're connecting to the db on every page anyways, the performance hit shouldn't be a concern.
#10

[eluser]Nalorin[/eluser]
I don't like using a database any more than is necessary - for every method of entering the database, that's one more entry that you have to seal against SQL injection attacks.

I'd rather store basic information, like what entries the user has added to their cart, sorting options for javascript, and the user's details (for the purposes of creating items on the site) in a session file, where I only have to validate the information if it will affect the database or a page access restriction, rather than ALWAYS having to validate to prevent SQL injection, along with validating when necessary for access restrictions, etc.

I've also heard mention about security concerns regarding CI sessions - as well as sessions not working reliably with the database.




Theme © iAndrew 2016 - Forum software by © MyBB