1. Use sessions to store information (Name, Path to avatar, and age) - there are pages where the database is not used, but this information is needed and making a request to the database every time is stupid.

Keep better in memory. In your version, redis is ideal as a service for storing sessions (you won’t have to rewrite the code, just set session_handler = redis in the config and all your $_SESSION will be automatically stored in memory).

2. Manipulate the user if he is offline (log him out, etc.)
3. Remember the user so that he does not have to enter a login / password every time (if in sessions, I save the session to my directory and give the lifetime - a month)
How best to implement This?
Now I have everything on sessions (session on fs (file system), I plan to save it in the database)
But I am often told what is better to do on cookies using access_token, but I don’t fully understand the mechanism...
Definitely for this you need to use tokens. In simple terms, it will be something like this:
Create a table tokens (token, userId, lifeTime), generate a token as a hash, for example, from the user ID + salt. Put it in the database with the time of action and in the cookie for the user. Then look - the user has a token cookie - check its hash - if it is valid, look at the lifetime in the database - if everything is ok - authorize, otherwise - reset the authorization.

Like 0 comments

The original approach: now everything is in sessions in the fs - this is normal, but an extra request to the database is somehow stupid. Let's store everything in cookies and pile up constant rechecks of what the user could stuff there. And if, God forbid, he sits on more than one computer, then on the other his avatar will remain old until he logs in again. It's so nice to clean up such little things if they suddenly lead to problems!