When and Where Should I Use Session_Start

When and where should I use session_start?

As others have said, the absolute requirements of what you must do are:

You must run session_start before you read or write to $_SESSION (otherwise it will just be an ordinary array and not saved anywhere).
You must not run session_start twice during a single script execution (page load) unless you use session_write_close to close it in between.

There is an extra rule that technically has exceptions, but is best treated as absolute:

Do not start the session after you have written any output (echo, HTML outside PHP blocks, etc), because PHP may not be able to send cookies to the browser if the server has already started sending the content.

There are two reasons you might want to avoid starting the session:

PHP locks the session when you open it to avoid two processes writing conflicting data into it, so if you have several requests happening at once, you want to avoid them waiting for each other unless they really need to. For instance, if you're responding to an AJAX request, and don't need any data from the session, don't open it.
As mentioned by symcbean, there is some cost to creating a new session, so if your site is busy with either legitimate or malicious traffic, you might want to serve some landing pages or error messages without starting it at all.

After that, it becomes a matter of style and architecture, but the rule of thumb that covers most of the above is "as soon as possible, if you're sure the page needs it".

When to use session_start()?

Use it once per page, at the very top, before you plan to use any $_SESSION variables

don't I need to use session_start() to use session global variables?

Your first block of code should be checking if the session variable is set, rather than the user variable exists in the session:

if(!isset($_SESSION)) {
    session_start();
}

However, if you just ensure that you only have a single session_start() per page then you can avoid the "A session had already been started" notice.

Should session_start always be called?

So I thought it's probably better to only call session_start() when I am actually writing something into the session (login) and then only call it, if there's a logged in user active.

If you set up a login system in any vaguely traditional way that involves sessions, there is no way to tell if you have a logged in user without calling session_start.

just a couple of people saying that session_start() should always be called. Does that make sense?

Yes. If you are going to interact with a session — be it to write to the session, or read from it — then call session_start().

Most websites that deal with login sessions will put a "You are logged in as Bob: click here to logout" or "You are not logged in: click here to log in" message on every page, so most websites will need to call sessions_start() on every page.

And isn't it a performance issue if all these session-ids are stored?

No.

It has a performance impact, but that impact is probably negligible. If it becomes a problem, worry about it then.

Don't try to solve performance problems you don't have.

PHP session_start() function: Why I need it everytime I use anything related to PHP sessions

session_destroy() destroys the active session. If you do not initialized the session, there will be nothing to be destroyed.

When and Where Should I Use Session_Start