objects and sessions

Stooney · February 13, 2008

Is it secure to carry objects over sessions? I have a class which handles my users. It contains their name, userid, email, etc. At the beginning of the script I 'resume' the object ($user=$_SESSION['user']. Then at the end of the script I 'update' the session ($_SESSION['user']=$user;). Is this ok? Should look into just storing each variable (userid, name, email, etc) into their own session variables?

aschk · February 14, 2008

There's nothing wrong with storing an object in a session (as you have done), and in fact I would say it's better (more encapsulated) that allowing separate session variables for each of the attributes you listed.

The only warning I will give is that streams/resources will be destroyed. So this means database connections and file streams will get killed off when the object is put into the session.

rhodesa · February 14, 2008

Also, you should serialize the object before storing it into the session. This will prevent problems caused by the classes not be available before the session is started:

http://us3.php.net/manual/en/language.oop.serialization.php

<?php
  session_start();
  require('user.class.inc');

  $user = ($_SESSION['user'])
    ? unserialize($_SESSION['user'])
    : new UserClass();

  //script goes here

  $_SESSION['user'] = serialize($user);
?>

Daniel0 · February 14, 2008

Note that on unserialization all resources (database connections, open files, etc.) will be gone so you'll have to open them again using the magic __wakeup() method.

aschk · February 14, 2008

And close them using the magic __sleep method (for sanity's sake)

aschk · February 14, 2008

Interestingly (because rhodesa picked this up) what might be advisable is to create a Session class, and register your user class inside that.

e.g.

<?php
class Session {

  public function __construct(){
    session_start();
  }

  public function addUser(user $user){
    $_SESSION['user'] = serialize($user);
  }

  public function getUser(){
    if(array_key_exists('user',$_SESSION){
      return unserialize($_SESSION['user']);
    } else {
      return new user();
    }
  }

}
?>

Then you can do

<?php
$session = new Session();
$user = $session->getUser();
?>

trq · February 14, 2008

Also, you should serialize the object before storing it into the session.

Objects do not need to be serialized prior to being put into the session array. Sessions are automatically serialized, hence you cannot store a stream or resource within a session.

aschk · February 14, 2008

Ah hah! I knew it...

I didn't think they needed to be serialized.

rhodesa · February 14, 2008

I didn't say they had to be. I said they should be. If you don't serialize the object, just make sure you load all your classes BEFORE session_start().

Stooney · February 14, 2008

Alright thanks a bunch for all of your help. Took me a while to get back due to my computer crashing.

Stooney · February 15, 2008

I went with what aschk said and made a session class. I changed it a bit so it can take any object and not just the 'user' object. Can anyone let me know if this is going in the right direction?

<?php

class Session{

public function __construct(){
	session_start();
}

public function add_object($id, $object){
	$_SESSION[$id]=serialize($object);
}

public function get_object($id){
	if(array_key_exists($id, $_SESSION)){
		return unserialize($_SESSION[$id]);
	}
	else{
		return false;
	}
}
}

?>

aschk · February 18, 2008

I don't think you need to do the serialize() inside the addObject function, as all variables inside the $_SESSION are serialized anyway.

Beware of using the generic method though, as you can easily overwrite the "user" object at any time by accident.

Personally I prefer to use getUser() inside the session object and have the add_object method as protected, and yes you would probably have to add a method for other objects you intend to store, but it keeps it constrained and you know what methods you have.

Also you might like to consider making your user object a singleton (as i'm assuming you only have 1 user related to the session).

Thus

<?php
class user {

  private static $instance;

  private function __construct(){
    // set initialisation variables.
  }

  public static function instance(){
    if(!self::$instance){
      self::$instance = new self();
    }
    return self::$instance;
  }
}
?>

and then your getUser() method would look something like this:

<?php

public function getUser(){
  if(!isset($_SESSION['user']){
    $this->set_object('user',user::instance());
  }
  return $this->get_object('user'); // get_object is a protected function.
}

?>

or something like this.

I'm just playing around with ideas but as long as you're happy with what you're using that good

Sign In

objects and sessions

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Important Information