Yes, session_start() consumes resources. However, unless your site has huge amounts of traffic, not so as you’d notice. And the alternative ways of storing session data are nearly all a lot harder to implement, and tend to have interesting failure modes.

The only thing I’d recommend is to be careful about what you do put into the session – huge amounts of data will have a noticable impact even with lower levels of traffic. The classic mistake is to accidentally load the entire object tree for your business logic layer into your session state.

For instance, assume you’re building a shopping cart; when the customer clicks “add to basket”, you want to remember the item they added. So, you could add the item’s unique ID into the session, but then you have to look up price and description every time you show the basket, which is a pain. So, you decide to load an object representing the item into your session. This object contains price and description, but also the item’s category – and all the other items in that category, because your application isn’t using lazy loading. So now, each item in your shopping basket also contains hundreds or thousands of other objects; and before you know where you are, you’ve loaded pretty much your entire database into the session.