Showing cached data only to non-members with COOKIE check? (PHP)

Question

Caching the HTML output of non-important pages (like blog posts) really helps to speed up a site by skipping the loading of the entire system (and rendering time) and just spiting out a pre-made copy of the page. This would be one way you can keep large waves of users to your site index or whatever from eating resources.

However, one of the problems of caching pages is that in order to check wither or not you can show the page - you have to load the entire system (and the user lib) to check if the user is logged in. (Wordpress, CodeIgniter, Drupal, etc..)

Then you can determine if it is safe to show a cached version of the page or if you should re-render the page for the logged in user. And vis-versa; a page rendered for a logged-in user shouldn't be shown to a guest!

Anyway, I finally had an idea that I could just use if(empty($_COOKIE)) to test for a user session since I never use the URL to transfer the session ID. Then I remembered that since the session library is loaded on each page that probably won't work since it will create a cookie when session_start() is called.

Does anyone have any ideas about how to test for a user session without loading your database connection -> for your session library -> for your user library?

Answer 1

You could set some kind of session variable once the user logs in, i.e.

//user has successfully logged in
$_SESSION['logged_in'] = true;

Then, somewhere very early in your page load (before any libraries have loaded) you could do:

@session_start();
if(!(isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true))
{
  //not a logged in user, show the cache!
  load_cache();  //or however this works
  exit();
}

On a logout, you'd either do session_destroy() or $_SESSION['logged_in'] = false;

Answer 2

I just recently learned this, so I hope I have everything straight.

In order to access saved session variables, you have to have a session started. In the project I'm working on, the 'user login' and 'create new user' pages all start out with session_start(). I also tried testing if the cookie was set, which didn't work too well. If the user is logged in or not, it doesn't matter, because there will be a cookie for both guests and logged in users. If you have a session then you'll have a cookie (provided that's how you have php setup, which sounds like you do). So instead of testing the cookie, I test to see if a session variable is set. This variable will only be set once the user successfully logs in.

if (loginSuccess()) { $_SESSION['login']="true"; }

After this, I can now test to see if that session variable is set, and display content appropriately. My user can navigate away from those pages, come back, and it will still remember that session variable.

I'm sure there are better, secure ways of doing this though.

Answer 3

Yes, as I stated the current method involves loading the system, database (assuming your sessions use the database), and finally starting the session which is a waste if you are only going to show cached content.

Perhaps you could set a cookie called "logged_out" (or "logged_in") in addition to the session cookie. Then you could test for "logged_out" cookie on each page load without the need to load the session and database?

Actually, since you would have bots and other non-cookie user agents you it would be better to create a "logged_in" cookie on login and then everywhere else check for a false/non-existent cookie as a sign for a guest.