PHP sessions

WordPress VIP supports PHP sessions for storing short-lived, ephemeral session data. Session data is backed by Memcached to improve performance, but to ensure a site’s stability and scalability the performance of its underlying code should be optimized wherever possible.

Sessions can be useful in certain scenarios but they also have performance implications that should be carefully considered.

Considerations

When PHP sessions are used:

• All requests made by a user with a session will bypass the page cache. An increase in requests that bypass the page cache can have negative impacts on site performance. Indications of negative effects on performance can be observed in the “Page Cache Hit Rate” section of Insights & Metrics in the VIP Dashboard.
• Consider limiting the scope of a session by starting a session only at the moment the need for it begins, then destroying the session as soon as the need for it ends.
• Sessions can also be started for specific URLs by setting the path parameter of session_set_cookie_params(). This can help to limit the number of uncacheable URLs.

Runtime configurations

By default, runtime configurations for session cookies are set to httponly and secure. This ensures that session cookies will only be sent with HTTPS requests (the default on all WordPress VIP sites) and prevents session cookies from being accessible to JavaScript.

Though these default settings can be overridden using ini_set() or session_set_cookie_params() in vip-config/vip-config.php, doing so is strongly discouraged.