{ "slug": "php_session_performance", "term": "PHP Session Performance & Locking", "category": "performance", "difficulty": "intermediate", "short": "PHP's file-based sessions acquire an exclusive lock per request — blocking concurrent requests from the same user until the lock is released.", "long": "By default PHP stores sessions as files and acquires an exclusive flock() lock when session_start() is called. This serialises all concurrent requests from the same user — an AJAX-heavy page making 5 simultaneous requests will queue them, each waiting for the previous to call session_write_close(). Fixes: call session_write_close() as early as possible once session data is no longer needed; use session_start(['read_and_close' => true]) for read-only requests; switch to a Redis or Memcached session handler (configurable via session.save_handler) which supports more granular locking or lock-free read operations. Redis sessions also enable horizontal scaling across multiple PHP-FPM servers without sticky sessions.", "aliases": [ "session performance PHP", "session locking", "session file lock" ], "tags": [ "php", "performance", "session", "concurrency" ], "misconception": "PHP sessions have no impact on concurrent request performance. PHP's default file-based sessions use exclusive file locking — concurrent requests from the same user are serialised, not parallelised. Call session_write_close() as early as possible or switch to a non-locking session handler.", "why_it_matters": "PHP file-based sessions create a lock per session — concurrent requests from the same user block each other waiting for the lock to release, serialising what should be parallel AJAX calls.", "common_mistakes": [ "Using file-based sessions for applications with concurrent AJAX requests — each request waits for the session lock.", "Not calling session_write_close() early when session data is no longer needed in a long request.", "Storing large objects in sessions — every request deserialises the entire session payload.", "Not using Redis or Memcached sessions for multi-server deployments — file sessions are per-server." ], "when_to_use": [], "avoid_when": [], "related": [ "session", "redis_patterns", "caching", "php_fpm" ], "prerequisites": [ "sessions", "redis_patterns", "php_fpm" ], "refs": [ "https://www.php.net/manual/en/function.session-write-close.php" ], "bad_code": "session_start(); // lock held for entire request\n$data = $_SESSION['user'];\nexpensiveOperation(); // session locked while this runs", "good_code": "session_start();\n$data = $_SESSION['user'];\nsession_write_close(); // release lock immediately\nexpensiveOperation();", "quick_fix": "Switch session storage from files to Redis — file-based sessions require filesystem locks that block concurrent requests from the same user; Redis sessions are atomic and don't block", "severity": "high", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/php_session_performance", "html_url": "https://codeclaritylab.com/glossary/php_session_performance", "json_url": "https://codeclaritylab.com/glossary/php_session_performance.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[PHP Session Performance & Locking](https://codeclaritylab.com/glossary/php_session_performance) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/php_session_performance" } } } }