Jump to content

objects and sessions

Stooney

By Stooney
in PHP Coding Help

 Share

Recommended Posts

Stooney Advanced Member

Stooney

Posted
Posted

Is it secure to carry objects over sessions?  I have a class which handles my users.  It contains their name, userid, email, etc.  At the beginning of the script I 'resume' the object ($user=$_SESSION['user'];).  Then at the end of the script I 'update' the session ($_SESSION['user']=$user;).  Is this ok?  Should look into just storing each variable (userid, name, email, etc) into their own session variables?

Link to comment
Share on other sites
aschk Newbie

aschk

Posted
Posted

There's nothing wrong with storing an object in a session (as you have done), and in fact I would say it's better (more encapsulated) that allowing separate session variables for each of the attributes you listed.

 

The only warning I will give is that streams/resources will be destroyed. So this means database connections and file streams will get killed off when the object is put into the session.

Link to comment
Share on other sites
rhodesa Newbie

rhodesa

Posted
Posted

Also, you should serialize the object before storing it into the session. This will prevent problems caused by the classes not be available before the session is started:

 

http://us3.php.net/manual/en/language.oop.serialization.php

 

<?php
  session_start();
  require('user.class.inc');

  $user = ($_SESSION['user'])
    ? unserialize($_SESSION['user'])
    : new UserClass();

  //script goes here

  $_SESSION['user'] = serialize($user);
?>

Link to comment
Share on other sites
aschk Newbie

aschk

Posted
Posted

Interestingly (because rhodesa picked this up) what might be advisable is to create a Session class, and register your user class inside that.

 

e.g.

<?php
class Session {

  public function __construct(){
    session_start();
  }

  public function addUser(user $user){
    $_SESSION['user'] = serialize($user);
  }

  public function getUser(){
    if(array_key_exists('user',$_SESSION){
      return unserialize($_SESSION['user']);
    } else {
      return new user();
    }
  }

}
?>

 

Then you can do

 

<?php
$session = new Session();
$user = $session->getUser();
?>

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
Also, you should serialize the object before storing it into the session.

 

Objects do not need to be serialized prior to being put into the session array. Sessions are automatically serialized, hence you cannot store a stream or resource within a session.

Link to comment
Share on other sites
Stooney Advanced Member

Stooney

Posted
  • Author
Posted

I went with what aschk said and made a session class.  I changed it a bit so it can take any object and not just the 'user' object.  Can anyone let me know if this is going in the right direction?

 

<?php

class Session{

public function __construct(){
	session_start();
}

public function add_object($id, $object){
	$_SESSION[$id]=serialize($object);
}

public function get_object($id){
	if(array_key_exists($id, $_SESSION)){
		return unserialize($_SESSION[$id]);
	}
	else{
		return false;
	}
}
}

?>

Link to comment
Share on other sites
aschk Newbie

aschk

Posted
Posted

I don't think you need to do the serialize() inside the addObject function, as all variables inside the $_SESSION are serialized anyway.

Beware of using the generic method though, as you can easily overwrite the "user" object at any time by accident.

 

Personally I prefer to use getUser() inside the session object and have the add_object method as protected, and yes you would probably have to add a method for other objects you intend to store, but it keeps it constrained and you know what methods you have.

 

Also you might like to consider making your user object a singleton (as i'm assuming you only have 1 user related to the session).

Thus 

<?php
class user {

  private static $instance;

  private function __construct(){
    // set initialisation variables.
  }

  public static function instance(){
    if(!self::$instance){
      self::$instance = new self();
    }
    return self::$instance;
  }
}
?>

 

and then your getUser() method would look something like this:

<?php

public function getUser(){
  if(!isset($_SESSION['user']){
    $this->set_object('user',user::instance());
  }
  return $this->get_object('user'); // get_object is a protected function.
}

?>

 

or something like this.

I'm just playing around with ideas but as long as you're happy with what you're using that good ;)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.