1 session.inc _backdrop_session_write($sid, $value)

Writes an entire session to the database (internal use only).

This function is registered with session_set_save_handler() to support database-backed sessions.

This function is an internal function and must not be called directly. Doing so may result in corrupted session data or other unexpected behavior. Session data must always be accessed via the $_SESSION superglobal.


$sid: The session ID of the session to write to.

$value: Session data to write as a serialized string.

Return value

Always returns TRUE.:

See also



core/includes/session.inc, line 162
User session handling functions.


function _backdrop_session_write($sid, $value) {
  global $user, $is_https;

  // The exception handler is not active at this point, so we need to do it
  // manually.
  try {
    if (!backdrop_save_session()) {
      // We don't have anything to do if we are not allowed to save the session.
      return TRUE;

    // Check whether $_SESSION has been changed in this request.
    $last_read = &backdrop_static('backdrop_session_last_read');
    $is_changed = !isset($last_read) || $last_read['sid'] != $sid || $last_read['value'] !== $value;

    // For performance reasons, do not update the sessions table, unless
    // $_SESSION has changed or more than 180 has passed since the last update.
    if ($is_changed || !isset($user->timestamp) || REQUEST_TIME - $user->timestamp > settings_get('session_write_interval', 180)) {
      // Either ssid or sid or both will be added from $key below.
      $fields = array(
        'uid' => $user->uid,
        'hostname' => ip_address(),
        'session' => $value,
        'timestamp' => REQUEST_TIME,

      // Use the session ID as 'sid' and an empty string as 'ssid' by default.
      // _backdrop_session_read() does not allow empty strings so that's a safe
      // default.
      $key = array('sid' => $sid, 'ssid' => '');
      // On HTTPS connections, use the session ID as both 'sid' and 'ssid'.
      if ($is_https) {
        $key['ssid'] = $sid;
        // The "secure pages" setting allows a site to simultaneously use both
        // secure and insecure session cookies. If enabled and both cookies are
        // presented then use both keys.
        if (settings_get('https', FALSE)) {
          $insecure_session_name = substr(session_name(), 1);
          if (isset($_COOKIE[$insecure_session_name])) {
            $key['sid'] = $_COOKIE[$insecure_session_name];
      elseif (settings_get('https', FALSE)) {


    // Likewise, do not update access time more than once per 180 seconds.
    if ($user->uid && REQUEST_TIME - $user->access > settings_get('session_write_interval', 180)) {
          'access' => REQUEST_TIME
        ->condition('uid', $user->uid)

    return TRUE;
  catch (Exception $exception) {
    require_once BACKDROP_ROOT . '/core/includes/errors.inc';
    // If we are displaying errors, then do so with no possibility of a further
    // uncaught exception being thrown.
    if (error_displayable()) {
      print '<h1>Uncaught exception thrown in session handler.</h1>';
      print '<p>' . _backdrop_render_exception_safe($exception) . '</p><hr />';
    return FALSE;