PHP session encoding

I’ve been coding PHP for a few years now, but still once in a while I come across something that I had no idea about.  In a recent project I was working on the single sign on (SSO) integration with the customer’s internal systems.  After doing the initial proof of concept code snippet, I got the logged in user results from a shared caching server.  The string looked something like this:


This was very similar to the results of PHP’s serialize() function, but not quite.  I’ve asked around, but nobody could point me in the right direction, so I went the regular expression way to parse this (do I have two problems now?).

After a code review and discussion with the developers on the customer side, I’ve learned that this is apparently a result of PHP’s session_encode() function, which I haven’t seen in the wild until that day.  Excellent! Now I should be able to use session_decode() to parse that, right?  Well, almost.  According to PHP Sadness #29:

The only way to decode php-session-format serialization (different from normal php serialize) is by calling php session_decode, which can only be called if there is an active session. If there is no active session, you can’t decode session data without starting one first.

So, don’t forget to session_start() before you try to decode.  Which makes it a bit tricky if you already have a session that you don’t want to ruin.  You might want to look into session_name() to work around it.  Gladly, I didn’t have to resolve to that as another customer-specific work around was implemented.

6 thoughts on “PHP session encoding”

Leave a Comment