I'm working on a project with an authentication system that i'm looking to clean up. The short story of this project is a lack of consistency regarding authentication. I have a table of users and a table of profiles with associated permissions. I'm looking at going two routes:

Option 1: Query the database on every page to check to see if the user has permission, then allow or deny them

Option 2: Query the database when they login and store all the permissions in the $_SESSION array. Currently the system uses this method.

I've done some reading, and i've heard arguments on both sides. Can anyone offer some additional insight? The one thing I am considering right now is that in the process of revising authentication, there will be a lot more individual permissions added, which would make the array considerably large. Would there be any noticeable performance issues with going either route?