Frameworks that start sessions for every visitor make me sad

I might have played the devil's advocate when Lars was hating on frameworks at the barcamp last weekend, but that doesn't mean I don't see his point. The latest in a series of frustrations with frameworks kept me up until 3am last night. What better way to cap it off than complaining on the internet?

Today's subject is anonymous sessions. Frameworks (and developers) love them because they are simple and convenient, but it comes at a cost. Keeping track of sessions for every visitor on a high traffic site is far too expensive to be practical. Developers should know how to work around this, but their frameworks need to support them.

The first framework on my mind is Drupal. I filed an issue last year that Drupal should support disabling anonymous sessions. It's still unassigned so I'm guessing it's not a high priority, but it was one of the main things that made me choose not to use Drupal on I wrote some ideas on how to handle it and got some responses from people suffering the same fate. No word on any progress though.

The second framework, CakePHP, has an AUTO_SESSION variable that, just like $cacheQueries, is far to easy to misplace faith in.

By setting AUTO_SESSION to false, you can't read or write to the session. Working as advertised? Not so much. If you take a closer look at what's actually happening you'll see that the session is still getting started, it's just that CakePHP is blocking your access to it. Even with AUTO_SESSION off, a cookie with a unique ID is set, and a row is still inserted into the sessions table. That last part almost brought down AMO last night. I wrote a patch that disables anonymous sessions for real, but anyone that has talked to me about patching core code knows I don't like to do it.

When you're writing code, framework or not, don't forget about scalability.


Did you file a bug in cakephp trac system?

Yeah, I love using cakephp because it helps speed up development, but sometimes bugs with SESSION like this one really become a pita :( .
-- Jose, 04 Apr 2008
I remember myself filing a bug with Cake a long time ago that complained about the inability to start a session manually when you disable automatic session starting. Many months later, it was closed fixed without any further comment (so I am still unsure how this was indeed fixed).

In any case it's sad to open a session for everyone, as it adds a bunch of unnecessary overhead (I am inclined to say that most pages that are divided into public/private, or are even completely public don't need a session for anonymous users).

Thus, dear framework developers: Please default to manual (well, "assisted") session handling instead of forcing AUTO_SESSION on and then not providing a way to really, really disable this "feature".
-- Fred Wenzel, 21 Apr 2008

Post a comment

All comments are held for moderation; basic HTML formatting accepted.