Home > PHP, Zend Framework > Unserializing stored sessions from Zend_Session

Unserializing stored sessions from Zend_Session

November 27th, 2008 Leave a comment Go to comments

Do you need to unserialize session data stored in your database with Zend_Session_SaveHandler_DbTable? This can be usefull when you want to build a session management interface in your CMS for example. Zend_Session stores its session data by storing it in a string in this format:

SESSION_NAMESPACE|[serialized_data]SESSION_NAMESPACE|[serialized_data] etc. etc.

Zend Framework does not supply a way to unserialize this data for use other than using the stored session as session. The php function unserialize() can’t cope with the stored format because multiple serialized strings stored are in the data column. session_decode() does work, but restores the session in $_SESSION instead of only unserializing its content and passing it on. To unserialize a stored session in zend framework you can use this method:

     * Unserializes a stored Zend_Session_SaveHandler_DbTable data column.
     * @param string $data Zend_Session Serialized session namespaces string.
     * @return mixed (array with namespaces and unserialized objects previously stored in session)
    function unserializeZendDbStoredSession($data) {
        $vars = preg_split('/([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff^|]*)\|/', $data,-1,PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE);
        $numElements = count($vars);
        for($i=0; $numElements > $i && $vars[$i]; $i++) {
        return $result;

With this data you can check who is logged in, for how long, and what they are doing depending off course on the things you store in the session. You can also end sessions by deleting their rows in the session table. Very useful.
Isn’t this unsafe? I think it depends on how you use the data. It can’t alter the session itself at least. Please correct me if I’m wrong.

  1. No comments yet.
  1. No trackbacks yet.