← all lessons

lamb · 2026-06-10 · cachinghttpperformancephpsessions

Session marker cookie

The idea

A "marker cookie" is a tiny, readable-before-session flag whose only job is to decide whether to start a server-side session at all. PHP normally has to start a session before it can know if one is needed — and starting a session emits Set-Cookie plus no-cache headers, which makes the response uncacheable. By keeping a separate plain cookie (just a presence flag, with no auth value stored in it), the app can check "is this maybe-logged-in visitor worth a session?" before touching session machinery. Anonymous visitors carry no marker → no session → fully cacheable pages. The actual login state stays entirely server-side in $_SESSION.

How it shows up

In Lamb (bootstrap.php), should_start_session() returns true only if lamb_logged_in or LAMBSESSID is present. The marker holds a random UUID that's stored nowhere server-side — losing it doesn't log you out (server session still has you), and having it doesn't keep you logged in (an expired session yields an empty $_SESSION). It's a performance/caching gate, not authentication.

Read more

Exercises

  1. Trace the gate — In Lamb, find should_start_session() and the one call site that uses its result. Confirm an anonymous request never reaches session_start(). Done when: you can name the file/line where the decision is made and what happens on each branch.
  2. Prove the cache win — Hit a page anonymously with curl -I and check there's no Set-Cookie and no no-store; then with the marker cookie present, confirm both appear. Done when: you have two curl -I outputs side by side showing the header difference.