我应该在何时何地使用session_start？

Question

Exactly when and where should I use session_start() in PHP?

For example, say I have a login script that sets a session variable to tell whether or not the user is logged in. Must I then put the session_start() at the top of the script, or only right before I actually set the session variable if the login was successful?

<?php
// session_start(); here?

if (login($username, $password)) {
    // session_start(); or here?

    $_SESSION["username"] = $username;
}
?>

Another case is this, according to w3schools

Note: The session_start() function must be the very first thing in your document. Before any HTML tags.

Answer 1

Unless you have output buffering enabled, the session_start() must come before anything other than headers are sent to the browser (as it sets a cookie in the header).

It must come before you attempt to reference the $_SESSION data.

In your example there are no html tags being output before either instance - so both would work.

There some cost to opening a session, so if you are doing additional, non-session based validation of the request, then deferring session_start() till these checks have passed does give you a bit more resillience against DOS attacks.

Answer 2

As others have said, the absolute requirements of what you must do are:

• You must run session_start before you read or write to $_SESSION (otherwise it will just be an ordinary array and not saved anywhere).
• You must not run session_start twice during a single script execution (page load) unless you use session_write_close to close it in between.

There is an extra rule that technically has exceptions, but is best treated as absolute:

• Do not start the session after you have written any output ( echo , HTML outside PHP blocks, etc), because PHP may not be able to send cookies to the browser if the server has already started sending the content.

There are two reasons you might want to avoid starting the session:

• PHP locks the session when you open it to avoid two processes writing conflicting data into it, so if you have several requests happening at once, you want to avoid them waiting for each other unless they really need to. For instance, if you're responding to an AJAX request, and don't need any data from the session, don't open it.
• As mentioned by symcbean, there is some cost to creating a new session, so if your site is busy with either legitimate or malicious traffic, you might want to serve some landing pages or error messages without starting it at all.

After that, it becomes a matter of style and architecture, but the rule of thumb that covers most of the above is "as soon as possible, if you're sure the page needs it".

Answer 3

Starting the session at the top of the page is most of the times the best. But if you don't need the session for the whole document/code, you could always put it, as in this example, after the if() clause.

Answer 4

The session_start() function can go anywhere in your code. You should just place it at the beginning of your document for consistency and call it a day. If you have a separate database or config file you are including on all your login/database driven pages, you should place it in there so you don't have to recode it into every page.