|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #49622 allow usage of json and/or php standard serialize format for sessions
Submitted: 2009-09-22 12:14 UTC Modified: 2013-08-10 09:19 UTC
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:1 (33.3%)
From: giunta dot gaetano at gmail dot com Assigned: yohgaki (profile)
Status: Wont fix Package: Session related
PHP Version: 5.3.0 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2009-09-22 12:14 UTC] giunta dot gaetano at gmail dot com
The current session_decode() function is good when the user needs to decode a serialized session string, but it
- needs to have session_start() called beforehand
- has an impact on the current session state

A lot of comments in the php man pages for unserialize() and session_decode() are from users trying to write a preg_ based decoder of session data (and failing).

A new function that session_decode_to_array() that
- returned the deserialized data as an array
- did not impact current session state
would imho be quite useful (or adding a flag param to the existing function, to the same effect)

Since this feat. request has already been filed and closed as bogus (, what I am proposing here is slightly different: besides 'wddx' and 'php', allow usage of 'json' and 'serialize' as native serialization formats for session data - the latter corresponding to the native serialize function.

If there is some information loss involved in using those two formats (ie. references), just make it clear in the docs.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-24 11:04 UTC]
-Package: Feature/Change Request +Package: Session related
 [2010-11-24 11:04 UTC]
-Operating System: !important +Operating System: *
 [2011-02-02 20:49 UTC] lealcy at gmail dot com
Just add a second parameter to the existing function: $overwrite_session = true. 
This avoid create a extra function and doesn't break any existing code.
 [2012-03-31 03:50 UTC]
JSON cannot be used (e.g. can't handle binary well) May be BSON?

Plain serializer will be added.
 [2012-03-31 03:50 UTC]
-Assigned To: +Assigned To: yohgaki
 [2013-08-10 09:19 UTC]
-Status: Assigned +Status: Wont fix
 [2013-08-10 09:19 UTC]
I considered adding JSON and BSON serializer and come to conclusion that would 
not worth implementing it.

JSON is text based serializer and cannot handle binary well. Therefore, all 
strings in $_SESSION array has be preprocessed by base64encode. Reverse 
operation is required when decoding. I think it just do not worth it.

If one would like to use BSON, they may simply use MongoDB as session data 
storage. It seems there are number of session save handlers.

Users can retrieve BSON from MongoDB.

There will be "php_serialize" serialize handler if you need better serializer 
that communicate with other systems. 


Use "php_serialize" instead.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Apr 02 06:03:36 2023 UTC