why are PHP sessions started?

[simplesimon]

I would like a reply from a developer. I would have posted this in the dev forum, but apparently that is for contributers only.

1. Why are PHP sessions started?
2. How can I stop CMSMS from using sessions?
3. Will this affect the functionality of CMSMS

AFAIK, I'm not using anything that requires sessions. It's pretty much a stock CMSMS install. I understand that the admin area would require sessions to keep track of the authentication. However, front end users do not need a session, do they?

I'm starting a session in a user defined tag. I get the headers already sent error.

[alby]

A common (and very useful) use, same to login authentication, is passing variables between web pages and I think that many modules use that

Alby

[simplesimon]

Variables between pages? Such as? There is nothing on my site that requires variables to be set between requests. My site is essentially static. Anyway, is there a way to have CMSMS stop using sessions?

[calguy1000]

No, session_start() is called very early in CMSMS for many reasons, and alot of stuff relies on the use of sessions.

So it isn't possible to disable, and this is probably something we won't consider doing.

[simplesimon]

No, session_start() is called very early in CMSMS for many reasons, and alot of stuff relies on the use of sessions.

So it isn't possible to disable, and this is probably something we won't consider doing.

I'm not asking CMSMS devs to disable it. I was wondering what uses it so I can work around it. How can requesting a page need sessions? I just don't get it. I see session_start() in the TinyMCE module and in include.php. There are @ in front of a bunch of lines, which IMHO, is a bad idea.
...
So I've commented out

Code: Select all

if(!@session_id()) session_start();

in include.php.
Everything seems to work fine. I can even log into the admin area. That seems strange to me, as I'm pretty sure that needs a session.
...
I've deleted all the session files and restarted apache, and I can still log into and use admin fine. Once I uncomment that line, I see session files being created again. So it seems that admin doesn't even use sessions. What gives? What are the "many reasons" and "alot of stuff" that "relies on the use of sessions"? I want to know what I'm breaking.

Thanks!

[Ted]

The core itself doesn't really use them for the frontend pages.  However, there are plenty of modules that use them (e-commerce for example).  If you're not using modules that need sessions, then you'll probably be fine disabling them, but our module devs rely on them being there under normal circumstances.

[simplesimon]

The core itself doesn't really use them for the frontend pages.  However, there are plenty of modules that use them (e-commerce for example).  If you're not using modules that need sessions, then you'll probably be fine disabling them, but our module devs rely on them being there under normal circumstances.

OK, thanks for the reply, Ted. I really appreciate hearing something from you.

I think the only module I have installed is Forms. They work fine so far.

I will be on the look out when upgrading. Thanks for everything!

[NaN]

What about an additional function in the module API to define if the module depends on sessions or not (like module dependencies)?
If the module needs sessions but sessions are disabled (maybe by a config var or by the server itself) or just not started (for whatever reason - maybe because a user disabled the line in the include.php ) you cannot install this module and get a message "needs sessions enabled".

[Ted]

Honestly, I don't think it's something we should disable.  Except for a spare cookie, it's no overhead in traffic, and only a very small about of processing power.  I think it's going to cause more harm than good to try and make an option that a lot of people might not understand the implications of disabling anyway.