php login session login variables

Question

I am learning php and have enrolled in a course. my user login is displayed below.

my question is do i have to select all fields i want in a session when logging in? could i not just use Select email and pull all rows by that or to i have to select all row on login?

example take this uid = uid for that session should it not pull all info about the user with id = id?

        $_SESSION['email'] = $email;
        $_SESSION['uid'] = $row['uid'];



function login_user($email, $password)
{
    $sql = "SELECT pwd, uid, user, birthdate FROM users WHERE email = '" . escape($email) . "' AND active = 1";

    $result = query($sql);

    if (row_count($result) == 1) {

        $row = fetch_array($result);

        $db_password = $row['pwd'];

        if (password_verify($password, $db_password)) {

            $_SESSION['email'] = $email;
            $_SESSION['uid'] = $row['uid'];
            $_SESSION['username'] = $row['username'];
            $_SESSION['birthdate'] = $row['birthdate'];

            return true;
        } else {

            return false;
        }

        return true;
    } else {

        return false;
    }
}

Answer 1

Deciding what to put in session data and what now effectively comes down to a trade-off – performance vs. storage space. Obviously these arguments are basically irrelevant for tiny projects, and only make a difference with high amounts of users, traffic, etc.

First of all, if your login is session-based, as is usual, PHP is going to load the required session data when needed, that is, when a session cookie is provided in the request. The session data has to contain, at the very least, the username / id of the logged-in user.

Approach 1 – storing a lot in the session data

Why not put a lot more into the session data? Whenever the user logs in, load data from the database into the session.

Pros

• No need to perform any database operations after the log in, as long as the data doesn't change.
• Less load on the database server.

Cons

• Data is instead stored relatively inefficiently by PHP in its server-side session storage.
• If your database server is not the same as the PHP server, this means you are now storing data on the wrong server.
• If the data changes, the session has to be invalidated. If the only way to change the data stored in the session is with user interaction, this is somewhat easy to spot. If the data can be changed externally (i.e. other users can change the data via some interaction), this is a problem – session data needs to be invalidated sometimes, so you have to check the database anyway.

Approach 2 – keeping everything in the database

In this case, you only keep the id or username in the session data. Any other data is then loaded as needed from the database.

Pros

• Id / username are generally set in stone for users. Once fully registered, at least one of these cannot be changed. Keeping only these in the session data is therefore very safe.
• Less space wasted for storing session data.
• No need to worry about invalidating / updating stale data, any change in the database is visible to the user immediately (e.g. on the next page request).
• PHP server is no longer responsible for keeping track of the data, easier to decouple it from the database server, easier to have multiple PHP servers communicating with database servers.

Cons

• Have to query the database often.