PHP Login - Get userdata from DB or store in Session?

Question

For my login system, I will need to retrieve some userdata ranging from the username to the session & the 'ban status' which checks if a user is suspended.

I've seen some systems that retrieves these data from users on each load. My question is: is this counted as unnecessary stress to my server?

Or should I just store those data in my $_SESSION? It'll however not be as updated, and I have no idea how to check for the ban status.

Thanks!

Answer 1

A single database query to retrieve the user info on each request should be fine - it's very fast, and not much of a hit on the server. You could always add caching later (eg APC or memcached) for which you could tell the cache to expire every 10 minutes or however often you need to check whether the user is banned. But I wouldn't bother with that unless your site gets a lot of traffic and you're actually noticing performance issues (in other words, avoid premature optimization ).

EDIT: If changes to the user's banned status always happen through your app, rather than directly in the database, then you could set up some code to run when the user is banned to clear the cache. That way there wouldn't be potentially a 10 minute delay (or whatever the cache expiration time is) before the ban took effect. But as I said above, you probably don't need to bother with caching in the first place.

Answer 2

It depends

Username example It is unnecessary to always query the database to get the user's username because how often is the user likely to change his/her username? So its better to store it in a session variable when the user logs in

If infact, when the user does changes his/her username, you would want to update so in this case, when the user changes his username, you could update the user's session variable:

function changeUsername($username){
    $userId = $_SESSION['user']['id'];

    //Code to change username

    updateUserSession($userId);
}

function updateUserSession($userId){
    //Query new username and other information
    $_SESSION['user'] = $dataFromQuery
}

Ban Status Example if you have a feature which allows you to ban users. You can still use sessions variables. The only difference this time in you code would be, when you ban a user, you will have to clear and refill the session variable to update it with new information. However, this can be a bit tricky to do so because the person banning is different from the person who is getting banned, so accessing the user's session variable is tricky and will require a work around

So a better way to do it is you'll have to repeatedly check the ban status on each page request. However executing a query every page request isn't a bad thing. In fact lots of sites do hundreds of query. But note, one big query to get all the information is better than a hundred small queries to get the same amount of information.

So it is all upto you, The username and ban status example using session variables is obviously an over kill but I said it anyways to illustrate how one would do it if they wanted to. There is nothing wrong and in fact, that is recommended for sites with high traffic since storing values in a session variable is a form of caching . There are other ways to cache data but this is one of them