Store serialized Login Object into session

kante

Hello ,

i have this doubt:

I was used to write my applications in this way:
- user compile a form e perform post to a script
- script check on DB the valid data and start a session
- store users unique key in a session var and redirects user to restricted area
- every restricted area page, i check on this session key to be set and then perform a db query to get some other user details to be displayed

possible improvement:

why not (on form submit and authenticate) creating a User Object serialize it and store all details ni a session instead of storing only the key? so when i perform the check on the session var to see if the user is autheticated i already have ready all users details, instead of call a DB query every page load?

is there something wrong in this?
maybe i could use this even with cookies crypting and decryptin the serialized string....just for security reasons (cookies hijack attempts)

Many thanks

PS. of course i'm not saving password or such details in the serialized obj.
And maybe this could not be even a problem since session is saved on server not on client... so no way to read it for the internet user...

laserlight

kante wrote:
why not (on form submit and authenticate) creating a User Object serialize it and store all details ni a session instead of storing only the key? so when i perform the check on the session var to see if the user is autheticated i already have ready all users details, instead of call a DB query every page load?

is there something wrong in this?

It is not wrong, but there is cost associated in retrieving the serialised data from session storage, so the gain over querying a database may not be quite as fantastic as you paint it to be.

kante

why u say there is a cost? u mean to say having lots of data in session may cause slow phpperformance? or there could be php memory usage issue?

laserlight

kante wrote:
why u say there is a cost?

There is likely to be filesystem access (perhaps even through a database engine) in order to retrieve the desired data, which then has to be deserialised. That said, since you will already be retrieving a key, this cost may be incurred either way.

Another problem to consider is what happens if the user details are modified. A change of details by the user is easy: you just update the session data when the database is updated. But things like banning a user might be a little more tricky.