I have had a quick search, and it seems all the related questions don't quite get to my point, or are too specific to help me out.
My first consideration is performance. My understanding is that by default storing information within $_SESSION means the server writes a file to disk. For a small LAMP server or a basic, small hosted website, how big would your $_SESSION variable need to get before a database becomes a more efficient option. Would 10, 100, 1000, 10000 array members in $_SESSION be where you begin to consider using a database instead? Or is traffic more of a consideration?
The second consideration is security. In some other answers I have seen statements like "never ever store xxx in the $_SESSION variable". Does storing information in a database actually make it more secure than $_SESSION, or can be $_SESSION be made as secure as the database given the server is set up correctly?
My feeling is that many sites developed out in the wild would start off using $_SESSION to begin with, and not necessarily get refactored to use the database. If you can redirect the $_SESSION variable from a file to the database anyway, it is always better to use $_SESSION and later point that at a database if performance is an issue?
Are there any other considerations to make for this design choice?
I don't think I would worry to much about the size of your session file, granted it is more scalable to use a database, I doubt you will notice a vast performance difference for a small to medium site.
As for the security aspect, It would not be recommended to store user data in a session (username, hash, email). If you wanted to use purely sessions you could look into encrypting your session which many frameworks like CodeIgniter offer.
So to conclude, In my opinion you should always be using the database for user information (including IP address) and sessions for general data (search terms, analytics etc...)
Hope this helps you with your decision.
Regards, James
You're missing the main thing, which is that whatever you store in the database is indefinitely persistent, whereas the session only lasts until the user logs out or it expires.
So the main reason to store something in the database as opposed to the session is that you want to keep it.
On any site that requires scalability, you would actually store your sessions in the database anyway, so the first point about performance is irrelevant.
As for security, as long as the session data is properly encrypted, it is secure enough.
I would personally only use sessions to store minimal information. If you need to store 10,000 array items in a session, it can most likely be written differently.
Per default, PHP sessions are stored on disk.
Some distributions come with hardened PHP called suosin http://www.hardened-php.net/suhosin/, and it can be set up to encrypt sessions.
As for how efficient sessions are, I would say very. You're probably never going to have to worry about that, and if you ever get to a point where it becomes a problem, you're probably going to want to store the sessions in memory instead of disk/database.
It's possible to change how PHP sessions are stored/loaded, check this out: http://php.net/manual/en/session.customhandler.php