Basically this is what I am doing:
Im using PHPXMLRPC to communicate with Odoo.
In essence to communicate for every request I need to send over needs to follow this structure:
//The database I wish to connect too
$msg->addParam(new xmlrpcval($this->dbname, "string"));
//The logged in user id
$msg->addParam(new xmlrpcval($this->userID, "int"));
//The logged in users password
$msg->addParam(new xmlrpcval($this->password, "string"));
//The model
$msg->addParam(new xmlrpcval("project.project", "string"));
//The method Im requesting to call
$msg->addParam(new xmlrpcval("read", "string"));
//Query parameters
$msg->addParam(new xmlrpcval($id_list, "array"));
$msg->addParam(new xmlrpcval($field_list, "array"));
Now I have written a class which in its constructor sets the instance variables to that of the values passed into its constructor i.e
class PHPClient{
private $userName;
private $password;
private $dbname;
private $server_url;
private $userID;
public function __construct($server_url, $database, $user, $password)
{
$this->server_url = $server_url;
$this->dbname = $database;
$this->userName = $user;
$this->password = $password;
$this->userID = False;
}
There are occasions where I wish to use the same object again somewhere else down the line, perhaps in another page. Instead of asking the user to effectively "login" again and enter all their details again and then having to create another object would it be safe enough to serialize the PHPClient object and store in a session then in any other pages where I require use of that object in order to verify that the user is logged in and has sufficient permission, then deserialize the object to carry out any further RPC requests?
You can safely serialize across requests. You can even safely put user input into data and then serialize it.
However, never unserialize data that the user can possibly modify. For example, never unserialize a cookie or form payload, or anything that another server sends you.
So yes, it's perfectly safe to serialize to store data in a session.