NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP 4.3.3 and session_start

Chris Shiflett shiflett at php.net
Fri Feb 27 11:56:46 EST 2004 

--- Emmanuel Décarie <emm at scriptdigital.com> wrote:
> > Just to be clear, the error is there as a notice to let you know you 
> > might be doing something silly, which is absolutely correct because
> > in the vast majority of cases having multiple session_start calls is
> > an indication of bad programming.
> 
> I think you are wrong here. What I'm talking about is modularity and
> autonomy.

I don't see how you can justify multiple attempts to start a session with
modularity. If your application is truly modular, your session module
should take care of session stuff, and it should be trivial to make sure
this module only gets called once.

It sounds to me like the exact opposite is happening, as if session stuff
is buried within other, unrelated code. In this case, in fact, it sounds
like session stuff is buried in two different files with unrelated code,
both of which must be called. Of course, I admit to not really
understanding why this is an issue, so perhaps I'm making some erroneous
assumptions.

> But I still don't have an answer to my questions. What's the penalty
> for a second call to session_start ()?

You haven't received an answer, because:

1. You already know the answer, I think. There is no real penalty, because
PHP's session mechanism checks whether a session already exists. In fact,
this is when it lets you know of a potential problem. You're telling it to
start a session, it runs off to do so, and then it comes back saying,
"Uhhh, it looks like you already started one a while back. Did you mean to
do that?"
2. Your question is irrelevant.

It sounds as if you are arguing that a notice should not be given when "no
harm is done." If this were true, there would be no reason for different
level types. In fact, if this is your opinion, you should turn your
error_reporting level way down. Why should the PHP engine not grant
developers fine-grained control over their error reporting just because
some people:

1. Don't want to receive notices.
2. Don't want to bother turning their error reporting down to reflect
their preference.

I think your options are:

1. Turn error reporting way down, and worry no more about it.
2. Modularize your code better, so that your session mechanism is in its
own module, and you can include it only when you need to.
3. Check whether a session exists before telling PHP to start a session.

Hope that helps.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
     Coming mid-2004
HTTP Developer's Handbook - Sams
     http://httphandbook.org/
PHP Community Site
     http://phpcommunity.org/

More information about the talk mailing list