I am currently working on a website that has high traffic by my standards. It's a webshop and has a few (serialized) objects in it's session.
E.g.
$_SESSION['shoppingcart'] = new Shoppingcart();
And this object is later used throughout the code. So far no problem. The session duration is 1 hour at the moment and is extended when users keep it alive by making requests.
Now for the (probably well known) problem: When making a change to the Shoppingcart class in the example there is a chance that the change breaks the deserializing of the object. What can we do to prevent this problem? What is the recommended approach?
We can keep values in the database and only use a primitive int inside the session to identify the primary key.
We can use some array conversion from the object.
?
There is a good chance there is an expert here that has a better answer, but for now I will share what I found.
Given all these potential problems, I strongly advise against storing objects in the session. If you want to persist the logged in user, instead of storing an instance of a User class in $_SESSION, just store the user ID and populate the user object from the database or cache. It’s a little more work than letting PHP magically handle everything for you, but your application will be much more stable and portable without object serialization.
source: https://www.phparch.com/2018/01/php-sessions-in-depth/