As web applications have matured, the need for statefulness has become a common requirement. Stateful web applications, meaning applications that keep track of a particular visitor's information as he travels throughout a site, are now so common that they are taken for granted.
Given the prevalence of web applications that keep track of things for their visitors'such as shopping carts, online banking, personalized home page portals, and social networking community sites'it is hard to imagine the Internet we use every day without stateful applications.
HTTP, the protocol that web servers and clients use to talk to each other, is a stateless protocol by design. However, since PHP 4.0, developers who've built applications with PHP have had a convenient set of session management functions that have made the challenge of implementing statefulness much easier. This chapter focuses on several good practices to keep in mind while developing stateful applications.
Sessions are focused on maintaining visitor-specific state between requests. Some applications also require an equivalent type of lightweight storage of non-visitor-specific state for a period of time at the server-side level. This is known as data persistence.
Recipe 11.1 explains PHP's session module, which lets you easily associate persistent data with a user as he moves through your site. Recipes 11.2 and 11.3 explore session hijacking and session fixation vulnerabilities and how to avoid them.
Session data is stored in flat files in the server's /tmp directory by default. Recipes 11.4 and 11.5 explain how to store session data in alternate locations, such as a database and shared memory, and discusses the pros and cons of these different approaches.
Recipe 11.6 demonstrates how to use shared memory for more than just session data storage, and Recipe 11.7 illustrates techniques for longer-term storage of summary information that has been gleaned from logfiles.