--- /dev/null
+PHP session serialization formats
+=================================
+
+These are the currently available formats in basic PHP.
+
+In the older formats, you can see the legacy of PHP's old "register random
+global variables for the session" mechanism in the fact that they have the
+ability to indicate unset-but-present as a distinct value.
+
+
+php
+---
+
+This is PHP's default format. Set values are encoded as
+`{$key}|{$serializedValue}`, while unset values are `{$key}!` and placed at the
+end of the string. An attempt to insert unset-but-present in the middle of the
+string will append it to the next key (since 5.2.6 or earlier, anyway).
+
+For example, `foo|i:1;baz|s:6:"string";bar!` encodes session data with
+'foo' = 1, 'baz' = "string", and 'bar' is present but unset.
+
+Due to these delimiters, keys may not contain pipe (`|`) or bang (`!`) characters.
+Attempting to serialize a `$_SESSION` array containing these characters will
+fail.
+
+Keys also may not be numeric. Any numeric entries in `$_SESSION` will be ignored.
+
+There is no value length or delimiter.
+
+
+php_binary
+----------
+
+Keys are encoded as a byte length (up to 127) followed by the indicated number
+of bytes. If the variable is unset, the high bit of the length is set.
+Otherwise, the serialized value follows immediately after the end of the key.
+
+Depending on the version of PHP, an unset-but-present might ignore the key,
+might set the key to null, or might stop processing the rest of the string
+entirely. This library takes the first option.
+
+For example, `\x03fooi:1;\x03bazs:6:"string";\x83bar` encodes session data with
+'foo' = 1, 'baz' = "string", and 'bar' is present but unset.
+
+Due to the size of the length field, keys may not be more than 127 bytes long.
+Entries in `$_SESSION` with longer keys are ignored.
+
+Keys also may not be numeric. Any numeric entries in `$_SESSION` will be ignored.
+
+There is no value length or delimiter.
+
+
+php_serialize
+-------------
+
+This is the most reliable format, added in PHP 5.5.4. The format is just
+`$_SESSION` passed to the standard [`serialize()`][serialize] function. It does
+not have the ability to indicate unset-but-present.
+
+For example, `a:2:{s:3:"foo";i:1;s:3:"baz";s:6:"string";}` encodes session data
+with 'foo' = 1 and 'baz' = "string".
+
+Unlike other formats, numeric keys are allowed and are stored correctly.
+
+When decoding the session, PHP does not check that the encoded string encodes
+an array, and will happily set `$_SESSION` to other types. It will refuse to
+re-serialize such a `$_SESSION`, however.
+
+
+wddx
+----
+
+When WDDX support is compiled into PHP, the WDDX format may be used to store
+session data. This format, however, cannot represent the full range of PHP data
+types (e.g. `INF`, `NAN`, data structures containing references) and so is not
+likely to be particularly useful unless you're trying to share saved session
+data with code in some other language that has WDDX support.
+
+
+
+---
+[serialize]: https://php.net/manual/en/function.serialize.php
scripts.mit.edu / autoinstallsdev / mediawiki.git / blobdiff