Create PHP session for all users or only ones who want to log in?

At the moment my CMS creates a PHP session for every user who visits the site. I'm thinking abou开发者_Go百科t only creating a session for users who want to log in. The problem I have here is that some UI elements for logged in users are on all pages, so on every page request the system has to check if the user is logged in, which means I have no other option to start a session on every page request? Or am I wrong? Is it normal practise to create a session for every user, even if dose not want to log in?

Short, I'd like to know if A. there is an option in my use case to only create a PHP session for users who want to log in and B. if it consider bad practise creating a session for every user, regardless if he wants to log in or not. If this isn't the case, I can leave things as they are really ...

You have no (real) choice. You can not know, that a user is logged in (or not) without a session.

Quick answer:

In your use case, it is perfectly fine to create a session for every user. Sessions are negligible and not something to worry about as far as performance goes (in your case).

The method you're using is not bad practice at all. In fact I'd say it's pretty near best practice.

Long answer: In my 6+ years of experience as a PHP programmer in the corporate world, it is perfectly normal to create a session for every user, regardless of whether or not they're logged in. In fact, sessions can be used to do a lot of convenient features for a user even when they're not logged in -- such as shopping carts, etc. You're doing things right. If you want to speed up performance at all, use a tool like Google's Pagespeed and Yahoo's YSlow -- they'll give you tips on best practice for websites.

It is possible to avoid creating a session every time. So what if session files are small? Why proliferate them when it's unnecessary?

This is what I do, in essence:

Check for the existence of the session cookie on the incoming request, and only do the session_start() if you've received one.

Logged-out users browsing the site (typically) won't be sending the session cookie, and so they won't trigger a session_start(). Simple.

Once someone logs into your site and you do want to start a session (session both logically in your application and in the PHP sense) then use session_start() etc which will handle setting up the cookie.

And once someone logs out, make sure you destroy the session cookie too, not just the PHP session itself.

Obviously the user could block your cookie operations at their end and screw things up, but they could do this anyway.

Can't you just look for an empty $_SESSION value to see if they're logged in?

In most cases, logins are managed via the session, therefore you must create a session at the start of the page to determine if they are logged in or not. You have no choice really... It is not bad practise, it is common practise.