¿Las sesiones de php son apátridas o no? [cerrado]

I know this question was asked many times regarding the use of php sessions in RESTful SPIs, but the answer is usually that php sessions preserve the state across multiple request, thus are not stateless, and since I have doubts about this claim I would like to contradict it and receive good answers:

If I understand php sessions right, this is how they work:

  • When a user requests a resource that involves session handling a session id is produced and provided to him.
  • The user is responsible to send this session id to the server for any subsequent requests, which is usually done by the user-agent via cookies or by attaching a session-id parameter
    a la url.

Thus, no application state information is ever saved on the server, and php sessions ARE stateless, as the session id is saved by the client, not the server.

Of course, there's the session file that IS saved on the server, hence the preserved state. But what is the difference between saving info on this session file, or saving it in a database? sessions or not, some data is saved on the server, and some of it (or all of it) is only relevant to a certain user or a group of users.

Assume a chess game for example. Assume all game logic is implemented in php files. Soldier positions are saved in a table. Player must identify somehow to tell the server what move to do next. Now assume soldier positions are saved in a session file. Player has to identify again, is this scenario any different than the db table scenario?

EDIT: Thanks for the good answers, they rise another question: can session-based applications (such as the chess game from last paragraph) be implemented as a RESTful service?

preguntado el 28 de mayo de 14 a las 14:05

So is your question is there any difference between storing session values in a server file and a database table? -

If you saved the soldier positions in session data, how would the other player know where the pieces are? -

The implementation is different but I find that database style sessions are much more resilient. shiflett.org/articles/storing-sessions-in-a-database And to answer your initial question - sessions están stateless in practice. -

@Pitchinnate, my question is as the title of this post: "Are php sessions stateless or not?" the rest is just to clear my standing. -

@YekhezkelYovel sessions allow you to have a state, in a stateless environment. The individual http requests are stateless but the sessions allow you to have persistent data across those requests. -

2 Respuestas

You're missing the big forest picture for the small implementation details of the storage trees.

The act of establishing a session means the server has a state. Where this state is stored is irrelevant. The fact that a session may time out means there's a state. An API is only stateless if I can repeat the same request at any time and always receive the same answer. If I have to establish a session with the server before I can send my request and this session still needs to be active or my request may be denied, then I can no send my request at cualquier time, but only at a time when there's an active session, and hence the server is not stateless.

Now, if the session had absolutely no influence on the request and it didn't matter whether the client tracked the session cookie or not and will always have his requests answered regardless of the session state, that'd be a stateless server. And a rather pointless session.

contestado el 28 de mayo de 14 a las 14:05

First thanks for your response. So, If I understand you correctly, the chess example would be un-implementable as a RESTful service, am I right? - Yekhezkel Yovel

Solo el hecho de que la información se almacena no indica un estado. Sessions specifically establish a specific, temporary state between the server and a specific user. That's is a stateful API. You could make a perfectly stateless API for your chess game in which the state of the game is sent in the request body of every request; as long as anyone could send the same request at any time and receive the same answer, that's a stateless API as well. It doesn't matter where the data is stored, it matter how the API can be used. - decir

Also, don't take "receive the same answer" as meaning that the data storage on the server can never be altered. If you have your chess game and the game progress is all stored on the server in a database, then of course I may receive different content in the response any time I ask for the status of the game, because the game may have progressed in the meantime. However, I will always receive the same tipo of answer every time I ask for the game status; I will never receive a "your session has expired" answer in a stateless API. - decir

I see. Thanks a lot, you've cleared up the subject for me. - Yekhezkel Yovel

As far as no application information being saved on the server, that is false. Session data is saved on the server. The only thing saved on the client's machine is the session cookie.

You can tell if something is stateless because you will not be able to go back to a previous step (each step is treated as an independent transaction[cite]). For sessions, that is exactly what they allow you to do. If you have items in your shopping cart on an eCommerce site for example, you can turn off your machine and come back later and check out with those items still in your cart. That is state preservation.

contestado el 28 de mayo de 14 a las 14:05

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.