go to bug id or search bugs for
Storing sessions in a Database is great for high-availability and sharing sessions across multiple web hosts.
However, when one wants to deeply inspect the session data, such as an administrator or an Admin Tool that displays all the information about a current session, there seems to be two options.
1. For a short time, hijack $_SESSION
$tmp = session_encode();
$sessdata = $_SESSION;
This replaces the current users' $_SESSION with the decoded data until one has time to restore it. If it doesn't restore successfully, you've got a bad situation.
2. Write your own unserialize functions. Wikimedia had to. Yuck. ADODB had one that preg_match'd on a Pipe character, but that broke if the value contained pipes. Someone else wrote a recursive one that worked pretty well and took advantage of the fact that unserialize() will stop unserializing at the next pipe in the string. OK but is that guaranteed to keep working forever?
If session_decode() would be able to return the decoded session (FALSE on failure as it does now, but success gives you the array/object), then nobody would have to write or maintain code that may or may not be exactly how session_decode() works.
Additionally if people start writing their own handlers, yikes.
session_decode_return() or something similar would be fine too if you don't want to overload session_decode().
Add a Patch
Add a Pull Request
The three supported options for session.serialize_handler are
php_serialize (5.5.4+ only)
If someone writes their own handler, they now have to expose some method for someone else to decode their serialized session data.
session_decode() already knows how to handle this, no special case handling necessary.