Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi,
There are many topics over the internet stating that API routes do not have session middleware and adding it is not recommended. But none of the topics state any reason why.
So, if i need to use session in one of my API routes, is it potentially dangerous to add session middlewares to my api route (or using web routes instead as api)? What should I be aware of?
The data that I'm accessing does not contain anything sensitive and is publicly accessible.
Thanks.
Scalability
Session based authentication: Because the sessions are stored in the server’s memory, scaling becomes an issue when there is a huge number of users using the system at once.
Token based authentication: There is no issue with scaling because token is stored on the client side.
https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4 https://stackoverflow.com/questions/6068113/do-sessions-really-violate-restfulness
Why API routes do not have session middleware?
@tsekka Because RESTful APIs are typically stateless. Authentication is done using a token rather than storing a user’s authentication details in a session.
The data that I'm accessing does not contain anything sensitive and is publicly accessible.
So why do you need the session?
Hi, thanks for replies.
I got little confused because I don't actually use API routes to provide data for mobile apps or other websites. I'm using it inside my own site to get data with axios. I defined those routes in api for better structure, even though their essentially web routes and while asking a question, I was in this context.
For some reason I forgot that api routes are for building apis :)
Please or to participate in this conversation.