Exactly when and where should I use session_start()
in PHP?
For example, say I have a login script that sets a session variable to tell whether or not the user is logged in. Must I then put the session_start()
at the top of the script, or only right before I actually set the session variable if the login was successful?
<?php
// session_start(); here?
if (login($username, $password)) {
// session_start(); or here?
$_SESSION["username"] = $username;
}
?>
Another case is this, according to w3schools
Note: The session_start() function must be the very first thing in your document. Before any HTML tags.
Starting the session at the top of the page is most of the times the best. But if you don't need the session for the whole document/code, you could always put it, as in this example, after the if() clause.
The session_start() function can go anywhere in your code. You should just place it at the beginning of your document for consistency and call it a day. If you have a separate database or config file you are including on all your login/database driven pages, you should place it in there so you don't have to recode it into every page.
As others have said, the absolute requirements of what you must do are:
session_start
before you read or write to$_SESSION
(otherwise it will just be an ordinary array and not saved anywhere).session_start
twice during a single script execution (page load) unless you usesession_write_close
to close it in between.There is an extra rule that technically has exceptions, but is best treated as absolute:
echo
, HTML outside PHP blocks, etc), because PHP may not be able to send cookies to the browser if the server has already started sending the content.There are two reasons you might want to avoid starting the session:
After that, it becomes a matter of style and architecture, but the rule of thumb that covers most of the above is "as soon as possible, if you're sure the page needs it".
Unless you have output buffering enabled, the session_start() must come before anything other than headers are sent to the browser (as it sets a cookie in the header).
It must come before you attempt to reference the $_SESSION data.
In your example there are no html tags being output before either instance - so both would work.
There some cost to opening a session, so if you are doing additional, non-session based validation of the request, then deferring
session_start()
till these checks have passed does give you a bit more resillience against DOS attacks.