Is setting php.ini's session.auto_start to 1 considered bad practice?

Question

I was playing around with php.ini\'s session.start_auto and tried setting it to 1. The site I am building requires session management on every page anyways and the server on

Answer 1

Nah, why should it be? In principle, its the same as having session_start(); as the second line in every page.

Answer 2

• IMO relying on php.ini settings can be tricky if people deploying your app don't have control on the php.ini (e.g. shared hosting). And even if the php.ini can be changed, understanding a problem due to a php.ini configuration problem may be difficult to understand (you may have to write a script allowing to check if config is Ok, etc.).

• As an alternative, you can create a unique "controller" script (e.g. /index.php), which will call and output different pages depending on parameters sent to it (e.g. yoursite.com/index.php?page=12 or even better yoursite.com/page/12 with routing & URL rewriting). And in that index.php file, put your session_start() once for all pages.

Answer 3

To be honest, I would consider it BAD to turn auto_session on. Like other people said, it is the same thing as putting a session_start() on ALL your pages.

Imagine all people that enters the main page of your website. A session will be created even before they tried to login or anything else. All spam-bots, all search engine bots etc will all create a session when entering your page. This is usually a bad thing as it will create TONS of files on your server (if session is file-based) or fill your ram cache (if session is memcache based).

It's much better to simply run session_start() only when you actually NEED a session. You can just create a "session class" or simple functions like session_get() and session_put() which will run session_start() for you. Then use those instead of $_SESSION directly.