Storing encrypted session information in a cookie

Our session system is due for an upgrade. Currently all PHP sessions are stored in the database, and some things are getting a bit slow. There have been a couple of approaches I've been considering, one of which is simply storing all the information in a browser cookie.

First I want to make clear I don't necessarily condone this. The reason I'm writing this post, is because I'm hoping for some more community feedback. Is this a really bad idea? I would love to know.

The benefits

If all the session data is stored in the browser, it means that I don't need to store it on the server. I actually don't care all that much for having the data on the server (unless it's the only secure way), it's mostly a gigantic map with session tokens and user id's (along with some other info).

I also feel it's more natural for HTTP, as it makes it a bit more stateless.

Sample code

2. A 
3. class BrowserSession {
4. A 
5. A  A  public $secret = 'this will need to be a cryptographic random number';
6. A  A  public $currentUser = null;
7. A 
8. A  A  // Sessions time out after 10 minutes
9. A  A  public $timeout = 600;
10. A 
11. A  A  function init() {
12. A 
13. A  A  A  A  if (!isset($_COOKIE['MYSESSION'])) {
14. A  A  A  A  A  A  echo "No session cookie found\n";
15. A  A  A  A  A  A  return;
16. A  A  A  A  }
17. A 
18. A  A  A  A  list($userId, $time, $signature) = explode(':',$_COOKIE['MYSESSION']);
19. A  A  A  A 
20. A  A  A  A  // The cookie is old
21. A  A  A  A  if ($time time() + $this-timeout) {
22. A  A  A  A  A  A  echo "The session cookie timed out\n"

Truncated by Planet PHP, read more at the original (another 10267 bytes)

• Read the original article at Planet PHP