I'm working on a project with sessions (to store activity, progress, etc.), and they're more convenient than using a database.

The only problem is that I'd like to allow a user to leave and come back later-- but the session data would be gone.

Assuming I can already identify the user (let's say via user accounts with passwords), I'd like to figure out how to restore the session in the easiest way.

Here's my idea: use serialize() on the $_SESSION array and store that in the database. Then at the bottom of each PHP page, store that into the database (for example, in the users table in the session_info column).

Then when they want to 'restore' the old session, I can simply load the data from the database, use unserialize() and set that array as $_SESSION.


Logically, that's fine. But the reason I'm asking is to see if I'm missed anything or if this might be unreliable.

Depends on exactly what you're serializing. If there are any objects, for example, you'll need to make sure the class definition is available before you unserialize(). Some people will be upset becuse the data won't be searchable (that's what a database if FOR, right?), but if you'll never need to search it, that's okay IMO. Other than that, no, should work fine.

(And, of course, you need to make the process of tying each stored session with the correct user secure and error-free)

Ok, thanks for confirming that.

After reading into this a little, I found that json_encode() and json_decode() are potentially better, and they're readable while in the DB (not searchable, but at least a human can verify that they make sense).

I've created a working system and I'm happy with it. I'm only using one part of the $_SESSION array, $_SESSION['subarray'], which contains in itself many variables.

It's exciting because the session is just immediately resumed and it all works well.


One note with json_decode() is that you'll get an object unless you ask for an array, so set the second parameter to TRUE:
json_decode($stuff,TRUE); /array

yeah, in most cases I prefer json as well: and you can search it reasonably well by using contrived queries like LIKE '%"WHATEVER"%'(obviously, queries like that are limited and can be a pain to write, but are still easier than searching a serialized string). The other drawback -if you're storing objects- is that you have to make special constructors if you want something besides an instance of the stdClass. Not a problem in most cases, but it can be.

Properly configuring a database is the "real" solution.

But specifically (and only) for the purpose of backing up the session, this works well. I'm happy with it.


And although it's not easy to search, you can quite easily generate user data by printing that out (looping through results and printing a table for each) using json_decode(). If you're interested in all of the results, it works well (but not so much for searching for one person).


And to specify my purposes, if you're wondering, I'm doing an online survey, and I want it to allow users to return later. Rather than storing lots of extra information in the DB (that is generally temporary) now the session can be extended and they don't lose the answers they've already submitted-- that makes it a lot easier to finish the survey.