Should I Use Database For Storing sessions in CakePHP?
Session handling is a important part of any web app. CakePHP offers 4 storage facilities for session storage. I will go through all of them and discuss advantages and disadvantages of 3 of them. They are cake (Saves the session files in your app’s tmp/sessions directory.), database(Uses CakePHP’s database sessions), php(The default setting. Saves session files as indicated by php.ini ) and cache(Use the caching engine configured by Cache::config(),Very useful in conjunction with Memcache (in setups with multiple application servers) to store both cached data and sessions.) . I will leave cache for later discussion.
To configure php or cake or database – all you need to do is change the following code in core.php in app/config folder
to use database you have to do two more things. You have to add following code in you core.php
and you have to create a table iin you database. Table structure shown bellow
CREATE TABLE IF NOT EXISTS `cake_sessions` ( `id` varchar(255) NOT NULL, `data` text, `expires` int(11) DEFAULT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
When you use this value, sessions are stored as files within app/tmp/sessions/ folder. Files will look something like sess_50bfa744a2ab2c98df808f70c893704c. Within these files, individual session variables are stored as plain text without encryption.
- Session variables are stored within Cake folder so the entire application stays in one place.
- Session files can be read with a text browser.
- Any files stored in DocumentRoot can be compromised if the Web server is compromised.
- Load-balanced Web servers not sharing a file system cannot share access to session files, causing sessions to be mysteriously dropped.
This option gives you a higher level of security or a greater control over permissions, database sessions are better. CakePHP store all serialized variable information on a table.
- Simple to set up — only requires one extra table in your database.
- A loss of security in the Web server will probably not result in sessions being compromised.
- Sessions can be more easily shared across load-balanced servers.
- Using the database to store sessions adds some database overhead. That can add up.
- Sessions are still stored in plain text on the database; database backups may cause sensitive data to be stored for prolonged periods of time.
- Depending on how your database is set up, communications between your application and the database may not be secure. If your database isn’t on localhost, or isn’t over a secure channel, such as a VPN, it is possible that the communications can become compromised
The final method for storing sessions is to use whatever session handling PHP is set up to use. By default, PHP will write its sessions as files similar to the cake setting for Session.save. One main difference is that instead of saving session variables within the Cake application, they are generally stored in a temporary directory elsewhere on the file system.
- It’s flexible. Any storage method supported by PHP.
- If you don’t override the session-handling functions, sessions will be stored the same way as all the other applications on your server.
- Since PHP is set up to could face some of the sessions: ‘cake’.”
The decision is yours. what you want use. We use php framework when we develop medium to large apps and for that database as our session storage is best.