NYCPHP Meetup

[Mitch Pirtle]

Chris Shiflett wrote:

> --- Chris Hubbard <chubbard at next-online.net> wrote:
> 
>>So it's important to make the session management as strong as possible.
>>One of the guys on the team advocates designing the application so it 
>>doesn't use sessions, basically passing a token in the URL that tells 
>>the server who the person is and where they are in the application.
> 
> 
> What is this guy's definition of a session? It sounds to me like he simply
> advocates passing session data back and forth across the public Internet
> rather than keeping it on the server. Which sounds more secure? :-)

I agree 100% on this one.

An excellent opportunity for you would be using ADODB's database-based 
sessions (http://php.weblogs.com/adodb-sessions).  Using this system, 
ADODB also performs a crc32 check on the data and only hits the database 
when the session data is changed. Combine this with the ability of ADODB 
to cache query results and you have a pretty fast setup (not to mention 
database independence).

Another option would be to use pound (http://www.apsis.ch/pound):

"The Pound program is a reverse proxy, load balancer and HTTPS front-end 
for Web server(s). Pound was developed to enable distributing the load 
among several Web-servers and to allow for a convenient SSL wrapper for 
those Web servers that do not offer it natively. Pound is distributed 
under the GPL - no warranty, it's free to use, copy and give away."

I LOVE pound.  I learned to use it while dealing with Plone and Zope 
sites, and now use it as a load-balancer with session awareness for PHP 
stuff too ;^)

-- Mitch