Retrieving Data from Session or Database?

PHPGuru2

Hey guys,

Which one of the following methods is better in speed or security-wise to read/write data?

1) After successfully logging in, save necessary data in the session, and when those data are needed later on, retrieve them from session (for example, id, address, zipcode, etc.) Only update the data when necessary. Destroy them when the user logs out.

2) Retrieve/Update data from/to the database each time they are needed.

I have read several documents and articles about this, asked questions around, but I'm still not sure which one is better.

Some people say:

1 is not a good idea since PHP4 simply stores data in text-based session and reading/writing data from/to the text file takes longer. Also, when the access gets too crowded to one folder (in this case, session folder), that also slows down the speed. Session hijacking is also one of the issues.

2 is not a good idea because too many access to the database slows down the speed. Some of the hosting services limits the number of queries you can call within the certain amount of time, so if you have too many queries, this may end up being an annoying problem.

So which one is better then... Help me out!

chads2k2

Personally ... Never ever had a problem with #1... had many problems with #2. Either method can be used without a major complication. Just check with your host on how their database is set up and if they limit you or not. I would PERSONALLY go with #1. BUT THAT IS JUST ME! <--- I have been flamed many times ... just protecting my @$$. :p

Enjoy.

jweissig

hey,

I store all sessions in my database under the "sessions" table. Then i have a table called "users" to store user information, which never changes (this helps me build user profiles).

When a user logs I check the user table to make sure he is allowed i.e. has a valid user/pass. This is also where i store all my user pref's. Then i create an entry in the "sessions" table and then rewrite the "url" to include a session key (so each page checks to make sure he has a valid session and if he does, show the page. If he does not then redirect him to an error page.).

I include a USERID field in the sessions table so that when someonce connects with a session of something like "23423$234234234" i can check for that entry in the sessions table and get the userid of the user. I can then query the user table and grab his prefs.

I think this might sound hard but it is really easy. This will also improve security because the you are not passing information like "the user id" or anything this will really help with people trying to mess with your app. Secondly i think this is just as secure as using cookies, 1. because a cookie is sent in plain text ALSO! 2. i don't know very many people who can look at a MD5Sum and remember it and then go type it in. They would have to listen to the network traffic (which makes this the same as cookies).

Once you have the above setup all you need to do is clean up sessions once and a while and your done. I think there is something on phpbuilder that already has something to do with storing php sessions in a mysql database.

one more note on security. If you are really worried about someone hacking your app through sessions then use SSL.

peace
- justin