I’ve been coding PHP for a few years now, but still once in a while I come across something that I had no idea about. In a recent project I was working on the single sign on (SSO) integration with the customer’s internal systems. After doing the initial proof of concept code snippet, I got the logged in user results from a shared caching server. The string looked something like this:
This was very similar to the results of PHP’s serialize() function, but not quite. I’ve asked around, but nobody could point me in the right direction, so I went the regular expression way to parse this (do I have two problems now?).
After a code review and discussion with the developers on the customer side, I’ve learned that this is apparently a result of PHP’s session_encode() function, which I haven’t seen in the wild until that day. Excellent! Now I should be able to use session_decode() to parse that, right? Well, almost. According to PHP Sadness #29:
The only way to decode php-session-format serialization (different from normal ) is by calling serialize, which can only be called if there is an active session. If there is no active session, you can’t decode session data without starting one first. session_decode
So, don’t forget to session_start() before you try to decode. Which makes it a bit tricky if you already have a session that you don’t want to ruin. You might want to look into session_name() to work around it. Gladly, I didn’t have to resolve to that as another customer-specific work around was implemented.