Original Question:

i read that for RESTful websites. it is not good to use $_SESSION. Why is it not good? how then do i properly authenticate users without looking up database all the time to check for the user's roles?

I read that it is not good to use $_SESSION.

http://www.recessframework.org/page/towards-restful-php-5-basic-tips

I am creating a WEBSITE, not web service in PHP. and i am trying to make it more RESTful. at least in spirit.

right now i am rewriting all the action to use Form tags POST and add in a hidden value called _method which would be "delete" for deleting action and "put" for updating action.

however, i am not sure why it is recommended NOT to use $_SESSION. i would like to know why and what can i do to improve.

To allow easy authorization checking, what i did was to after logging in the user, the username is stored in the $_SESSION.

Everytime the user navigates to a page, the page would check if the username is stored inside $_SESSION and then based on the $_SESSION retrieves all the info including privileges from the database and then evaluates the authorization to access the page based on the info retrieved.

Is the way I am implementing bad? not RESTful? how do i improve performance and security?

Thank you.