All geek questions in one place

Create a PHP session for all users or only those who want to log in?

Currently, my CMS is creating a PHP session for each user who visits the site. I only think about creating a session for users who want to log in. The problem I have here is that some user interface elements for registered users are on all pages, so on every page request the system should check if the user is logged in, which means that I have no other way to start a session every time you request a page? Or I'm wrong? Is it a normal practice to create a session for each user, even if the dose is not needed to enter?

In short, I would like to know if A. has an option in my use case to create a PHP session for users who want to log in, and B. if he believes that bad practice creates a session for each user, regardless whether he wants to log in or not. If this is not the case, I can leave things the way they really are ...

+4
source share
5 answers

You have no (real) choice. You cannot know that the user is logged in (or not) without a session.

+3
source

Quick response:

In your use case, it's perfectly normal to create a session for each user. Sessions are void, and there is nothing to worry about performance (in your case).

The method you use is not a bad practice at all. In fact, I would say that this is pretty close to best practice.

Long answer: During my 6 years of experience as a PHP programmer in the corporate world, it is perfectly normal to create a session for each user, regardless of whether they are logged in. In fact, sessions can be used for many convenient functions for the user, even if they are not logged in, for example, in carts, etc. You are doing everything right. If you want to speed things up at all, use a tool like Google Pagespeed and Yahoo YSlow - they will give you best practice tips for websites.

+2
source

Can't you just find the null value of $ _SESSION to see if they are logged in?

+1
source

In most cases, logins are managed through a session, so you should create a session at the top of the page to determine if they are logged in or not. You really have no choice ... This is not a bad practice, this is a common practice.

+1
source

You can avoid creating a session every time. So what if session files are small? Why spill them when it is not needed?

Here is what I am doing essentially:

Check for a session cookie on the incoming request and only session_start() if you received it.

Registered users browsing the site (usually) will not send session cookies, so they will not run session_start() . Plain.

As soon as someone logs into your site and you want to start a session (a session both logically in your application and in the sense of PHP), use session_start() , etc., which will handle the cookie setting.

And as soon as someone logs out, make sure you also destroy the session cookie, not just the PHP session itself.

Obviously, the user can block your cookie operations from endings and damage them, but they can do it anyway.

+1
source

Source: https://habr.com/ru/post/1335476/

More articles:


All Articles