CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

PHP Session Performance & Locking

Performance PHP 5.0+ Intermediate
debt(d8/e3/b4/t7)
d8 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'silent in production until users hit it' (d9), but Blackfire profiling or strace can reveal serialised requests, so d8. Not caught by static tools — only manifests under concurrent load.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). Quick fix is switching session handler config to Redis, or adding session_write_close() calls — small config change plus possibly a few strategic call sites.

b4 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3) leaning toward b5. Session handling touches web context broadly but the choice is centralised in session config; storing large objects or relying on file locks can create persistent productivity tax for AJAX-heavy apps.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). Per misconception, devs assume sessions have no concurrency impact — the 'obvious' use (just call session_start) silently serialises AJAX requests, contradicting how sessions work in most other ecosystems.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

session performance PHP session locking session file lock

TL;DR

PHP's file-based sessions acquire an exclusive lock per request — blocking concurrent requests from the same user until the lock is released.

Explanation

By default PHP stores sessions as files and acquires an exclusive flock() lock when session_start() is called. This serialises all concurrent requests from the same user — an AJAX-heavy page making 5 simultaneous requests will queue them, each waiting for the previous to call session_write_close(). Fixes: call session_write_close() as early as possible once session data is no longer needed; use session_start(['read_and_close' => true]) for read-only requests; switch to a Redis or Memcached session handler (configurable via session.save_handler) which supports more granular locking or lock-free read operations. Redis sessions also enable horizontal scaling across multiple PHP-FPM servers without sticky sessions.

Common Misconception

PHP sessions have no impact on concurrent request performance. PHP's default file-based sessions use exclusive file locking — concurrent requests from the same user are serialised, not parallelised. Call session_write_close() as early as possible or switch to a non-locking session handler.

Why It Matters

PHP file-based sessions create a lock per session — concurrent requests from the same user block each other waiting for the lock to release, serialising what should be parallel AJAX calls.

Common Mistakes

  • Using file-based sessions for applications with concurrent AJAX requests — each request waits for the session lock.
  • Not calling session_write_close() early when session data is no longer needed in a long request.
  • Storing large objects in sessions — every request deserialises the entire session payload.
  • Not using Redis or Memcached sessions for multi-server deployments — file sessions are per-server.

Code Examples

✗ Vulnerable 
session_start(); // lock held for entire request
$data = $_SESSION['user'];
expensiveOperation(); // session locked while this runs
✓ Fixed 
session_start();
$data = $_SESSION['user'];
session_write_close(); // release lock immediately
expensiveOperation();
Added 15 Mar 2026
Edited 22 Mar 2026
Views 42

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 0 pings S 2 pings S 0 pings M 1 ping T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 Perplexity 5 Scrapy 5 Ahrefs 4 Google 2 Unknown AI 2 Claude 2 Bing 2 ChatGPT 2 SEMrush 2 Meta AI 1 Sogou 1
Also referenced
PHP-FPM 92 Caching Strategies (APCu, Redis, Memcached) 58 PHP Session 57 Redis Patterns (Pub/Sub, Sorted Sets, Lua) 51
How they use it
crawler 30 crawler_json 4 pre-tracking 1
Related categories
php 13.2k performance 3.3k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Switch session storage from files to Redis — file-based sessions require filesystem locks that block concurrent requests from the same user; Redis sessions are atomic and don't block
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
File-based sessions with concurrent AJAX requests causing serialised execution; session_start() blocking; session files in /tmp on high-traffic server
Auto-detectable: ✗ No blackfire strace
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: File
✓ schema.org compliant