PHP login - get user data from database or save in session?

For my login system, I will need to get some user data, ranging from the username to the session, and a "deny status" that checks if the user is suspended.

I have seen some systems that pull this data from users

for every download. My question is: is this considered unnecessary stress on my server?

Or just store this data in my $ _SESSION? However, it won't update and I don't know how to check the ban status.



source to share

2 answers

A single database query to retrieve user information for each query needs to be accurate - it's very fast and doesn't hit the server hard. You can always add caching later (like APC or memcached) for which you can tell the cache to expire every 10 minutes or generally you need to check if the user is banned. But I wouldn't worry about that unless your site is getting a lot of traffic and you actually notice performance issues (in other words, avoid premature optimization ).

EDIT: If changes to the banned user status are always happening through your application and not directly in the database, then you can configure the code to run when the user is prevented from clearing the cache. Thus, there would be no potential 10 minutes delay (or whatever the cache expiration time) before the ban took effect. But as I said above, you probably don't need to worry about caching in the first place.



It depends on the

User example It is not necessary to always query the database to get the user's username, because often the user might change their username? So it's better to store it in a session variable when the user enters

If infact, when a user changes their username, you want to update it in that case, when the user changes their username, you can update the user session variable:

function changeUsername($username){
    $userId = $_SESSION['user']['id'];

    //Code to change username


function updateUserSession($userId){
    //Query new username and other information
    $_SESSION['user'] = $dataFromQuery


Deny status status if you have a feature that allows you to deny users. You can still use session variables. The only difference this time in your code will be when you disable the user, you have to clear and populate the session variable to update it with new information. However, this can be a little tricky to do, because the banning of the person is different from the person who gets the ban, so accessing the user's session variable is tricky and would require work around

Thus, the best way to do this is to check the deny status repeatedly for each page request. However, making a request for every page isn't bad. In fact, many sites fulfill hundreds of requests. But note that one big request for all the information is better than hundreds of small requests for the same amount of information.

So, it all depends on you. An example of a username and ban state using session variables is obviously more deadly, but I said it anyway to illustrate how to do it if they wanted to. There is nothing wrong and it is actually recommended for high traffic sites, since storing values ​​in a session variable is a form of caching . There are other ways to cache data, but this is one of them.



All Articles