I have had a quick search, and it seems all the related questions don't quite get to my point, or are too specific to help me out.
My first consideration is performance. My understanding is that by default storing information within $_SESSION
means the server writes a file to disk. For a small LAMP server or a basic, small hosted website, how big would your $_SESSION
variable need to get before a database becomes a more efficient option. Would 10, 100, 1000, 10000 array members in $_SESSION
be where you begin to consider using a database instead? Or is traffic more of a consideration?
The second consideration is security. In some other answers I have seen statements like "never ever store xxx in the $_SESSION
variable". Does storing information in a database actually make it more secure than $_SESSION
, or can be $_SESSION
be made as secure as the database given the server is set up correctly?
My feeling is that many sites developed out in the wild would start off using $_SESSION
to begin with, and not necessarily get refactored to use the database. If you can redirect the $_SESSION
variable from a file to the database anyway, it is always better to use $_SESSION
and later point that at a database if performance is an issue?
Are there any other considerations to make for this design choice?