How to manage the session start in CakePHP when building a REST API?

Question

I have read this post earlier: Generally splitting admin and web app into two entities

Basically the gist of it is that we can combine the api side of things and the web front side of things together in one cakephp app. However, as you know REST is stateless and there is no reason to expect the client to keep a cookie or anything like that. Do you guys know when exactly does the session_start function gets trigger in CakePHP? I really want to avoid the running session_start when my API end points are hit. However, I will need session to start when my regular web fronts are hit.

Answer 1

For cake v2+, in general do not do any of the following:

• make calls to CakeSession
• Load session component or use session helper
• remove $this->session->flash() from layouts
• dont use auth component

If you are still getting sessions started (can tell by getting a cookie in the response header), its easy to track down who is starting the session. Just add the following lines to lib/Cake/Model/Datasource/CakeSession.php in the start() method:

public static function start() {
  debug_print_backtrace();
  exit();
  ...
}

Make a request and you'll see a call stack of who the culprit was :)