When and where should I use session_start?

by

As others have said, the absolute requirements of what you must do are:

  • You must run session_start before you read or write to $_SESSION (otherwise it will just be an ordinary array and not saved anywhere).
  • You must not run session_start twice during a single script execution (page load) unless you use session_write_close to close it in between.

There is an extra rule that technically has exceptions, but is best treated as absolute:

  • Do not start the session after you have written any output (echo, HTML outside PHP blocks, etc), because PHP may not be able to send cookies to the browser if the server has already started sending the content.

There are two reasons you might want to avoid starting the session:

  • PHP locks the session when you open it to avoid two processes writing conflicting data into it, so if you have several requests happening at once, you want to avoid them waiting for each other unless they really need to. For instance, if you’re responding to an AJAX request, and don’t need any data from the session, don’t open it.
  • As mentioned by symcbean, there is some cost to creating a new session, so if your site is busy with either legitimate or malicious traffic, you might want to serve some landing pages or error messages without starting it at all.

After that, it becomes a matter of style and architecture, but the rule of thumb that covers most of the above is “as soon as possible, if you’re sure the page needs it”.

More Related Contents:

  1. PHP Sessions across sub domains
  2. PHP Session Fixation / Hijacking
  3. “Keep Me Logged In” – the best approach
  4. How to properly add cross-site request forgery (CSRF) token using PHP
  5. “Cannot send session cache limiter – headers already sent” [duplicate]
  6. How do PHP sessions work? (not “how are they used?”)
  7. How unique is the php session id
  8. How to fix the session_register() deprecated issue?
  9. Cookies vs. sessions
  10. Preventing session hijacking
  11. PHP sessions that have already been started [duplicate]
  12. What is the default lifetime of a session?
  13. PHP sessions timing out too quickly
  14. proper way to logout from a session in PHP
  15. PHP – Session destroy after closing browser
  16. Looping Through All a Server’s Sessions in PHP
  17. Can’t pass mysqli connection in session in php
  18. Accessing session from TWIG template
  19. Detect if PHP session exists
  20. What is PHP session_start()
  21. PHP __PHP_Incomplete_Class Object with my $_SESSION data
  22. How do I continue a session from one page to another with PHP
  23. Remotely destroy a session in php (user logs in somewhere else)?
  24. Session hijacking and PHP
  25. Call to undefined function session_register() [duplicate]
  26. Why Session object destruction failed
  27. PHP Session not Saving
  28. Session lost after page redirect in php
  29. session_start hangs
  30. PHP authentication with multiple domains and subdomains

Leave a Comment