When and where should I use session_start?

Question

Exactly when and where should I use session_start() in PHP?

For example, say I have a login script that sets a session variable to tell whether or not t

Answer 1

Unless you have output buffering enabled, the session_start() must come before anything other than headers are sent to the browser (as it sets a cookie in the header).

It must come before you attempt to reference the $_SESSION data.

In your example there are no html tags being output before either instance - so both would work.

There some cost to opening a session, so if you are doing additional, non-session based validation of the request, then deferring session_start() till these checks have passed does give you a bit more resillience against DOS attacks.