Cover of the book Symfony 5: The Fast Track

Symfony 5: The Fast Track is the best book to learn modern Symfony development, from zero to production. +300 pages showcasing Symfony with Docker, APIs, queues & async tasks, Webpack, SPAs, etc.

WARNING: You are browsing the documentation for Symfony 2.1 which is not maintained anymore. Consider upgrading your projects to Symfony 5.1.

Configuring Sessions and Save Handlers

Configuring Sessions and Save Handlers

This section deals with how to configure session management and fine tune it to your specific needs. This documentation covers save handlers, which store and retrieve session data, and configuring session behaviour.

Save Handlers

The PHP session workflow has 6 possible operations that may occur. The normal session follows open, read, write and close, with the possibility of destroy and gc (garbage collection which will expire any old sessions: gc is called randomly according to PHP’s configuration and if called, it is invoked after the open operation). You can read more about this at

Native PHP Save Handlers

So-called ‘native’ handlers, are save handlers which are either compiled into PHP or provided by PHP extensions, such as PHP-Sqlite, PHP-Memcached and so on.

All native save handlers are internal to PHP and as such, have no public facing API. They must be configured by PHP ini directives, usually session.save_path and potentially other driver specific directives. Specific details can be found in docblock of the setOptions() method of each class.

While native save handlers can be activated by directly using ini_set('session.save_handler', $name);, Symfony2 provides a convenient way to activate these in the same way as custom handlers.

Symfony2 provides drivers for the following native save handler as an example:

  • Symfony\Component\HttpFoundation\Session\Storage\Handler\NativeFileSessionHandler

Example usage:

use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
use Symfony\Component\HttpFoundation\Session\Storage\Handler\NativeFileSessionHandler;

$storage = new NativeSessionStorage(array(), new NativeFileSessionHandler());
$session = new Session($storage);


With the exception of the files handler which is built into PHP and always available, the availability of the other handlers depends on those PHP extensions being active at runtime.


Native save handlers provide a quick solution to session storage, however, in complex systems where you need more control, custom save handlers may provide more freedom and flexibility. Symfony2 provides several implementations which you may further customise as required.

Custom Save Handlers

Custom handlers are those which completely replace PHP’s built in session save handlers by providing six callback functions which PHP calls internally at various points in the session workflow.

Symfony2 HttpFoundation provides some by default and these can easily serve as examples if you wish to write your own.

  • Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler
  • Symfony\Component\HttpFoundation\Session\Storage\Handler\MemcacheSessionHandler
  • Symfony\Component\HttpFoundation\Session\Storage\Handler\MemcachedSessionHandler
  • Symfony\Component\HttpFoundation\Session\Storage\Handler\MongoDbSessionHandler
  • Symfony\Component\HttpFoundation\Session\Storage\Handler\NullSessionHandler

Example usage:

use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
use Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler;

$storage = new NativeSessionStorage(array(), new PdoSessionHandler());
$session = new Session($storage);

Configuring PHP Sessions

The Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage can configure most of the PHP ini configuration directives which are documented at

To configure these settings, pass the keys (omitting the initial session. part of the key) as a key-value array to the $options constructor argument. Or set them via the setOptions() method.

For the sake of clarity, some key options are explained in this documentation.

Configuring Garbage Collection

When a session opens, PHP will call the gc handler randomly according to the probability set by session.gc_probability / session.gc_divisor. For example if these were set to 5/100 respectively, it would mean a probability of 5%. Similarly, 3/4 would mean a 3 in 4 chance of being called, i.e. 75%.

If the garbage collection handler is invoked, PHP will pass the value stored in the PHP ini directive session.gc_maxlifetime. The meaning in this context is that any stored session that was saved more than maxlifetime ago should be deleted. This allows one to expire records based on idle time.

You can configure these settings by passing gc_probability, gc_divisor and gc_maxlifetime in an array to the constructor of Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage or to the setOptions() method.

Session Lifetime

When a new session is created, meaning Symfony2 issues a new session cookie to the client, the cookie will be stamped with an expiry time. This is calculated by adding the PHP runtime configuration value in session.cookie_lifetime with the current server time.


PHP will only issue a cookie once. The client is expected to store that cookie for the entire lifetime. A new cookie will only be issued when the session is destroyed, the browser cookie is deleted, or the session ID is regenerated using the migrate() or invalidate() methods of the Session class.

The initial cookie lifetime can be set by configuring NativeSessionStorage using the setOptions(array('cookie_lifetime' => 1234)) method.


A cookie lifetime of 0 means the cookie expires when the browser is closed.

Session Idle Time/Keep Alive

There are often circumstances where you may want to protect, or minimize unauthorized use of a session when a user steps away from their terminal while logged in by destroying the session after a certain period of idle time. For example, it is common for banking applications to log the user out after just 5 to 10 minutes of inactivity. Setting the cookie lifetime here is not appropriate because that can be manipulated by the client, so we must do the expiry on the server side. The easiest way is to implement this via garbage collection which runs reasonably frequently. The cookie lifetime would be set to a relatively high value, and the garbage collection maxlifetime would be set to destroy sessions at whatever the desired idle period is.

The other option is to specifically checking if a session has expired after the session is started. The session can be destroyed as required. This method of processing can allow the expiry of sessions to be integrated into the user experience, for example, by displaying a message.

Symfony2 records some basic meta-data about each session to give you complete freedom in this area.

Session meta-data

Sessions are decorated with some basic meta-data to enable fine control over the security settings. The session object has a getter for the meta-data, getMetadataBag() which exposes an instance of Symfony\Component\HttpFoundation\Session\Storage\MetadataBag:


Both methods return a Unix timestamp (relative to the server).

This meta-data can be used to explicitly expire a session on access, e.g.:

if (time() - $session->getMetadataBag()->getLastUsed() > $maxIdleTime) {
    throw new SessionExpired(); // redirect to expired session page

It is also possible to tell what the cookie_lifetime was set to for a particular cookie by reading the getLifetime() method:


The expiry time of the cookie can be determined by adding the created timestamp and the lifetime.

PHP 5.4 compatibility

Since PHP 5.4.0, SessionHandler and SessionHandlerInterface are available. Symfony 2.1 provides forward compatibility for the SessionHandlerInterface so it can be used under PHP 5.3. This greatly improves inter-operability with other libraries.

SessionHandler is a special PHP internal class which exposes native save handlers to PHP user-space.

In order to provide a solution for those using PHP 5.4, Symfony2 has a special class called Symfony\Component\HttpFoundation\Session\Storage\Handler\NativeSessionHandler which under PHP 5.4, extends from SessionHandler and under PHP 5.3 is just a empty base class. This provides some interesting opportunities to leverage PHP 5.4 functionality if it is available.

Save Handler Proxy

There are two kinds of save handler class proxies which inherit from Symfony\Component\HttpFoundation\Session\Storage\Handler\AbstractProxy: they are Symfony\Component\HttpFoundation\Session\Storage\Handler\NativeProxy and Symfony\Component\HttpFoundation\Session\Storage\Handler\SessionHandlerProxy.

Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage automatically injects storage handlers into a save handler proxy unless already wrapped by one.

Symfony\Component\HttpFoundation\Session\Storage\Handler\NativeProxy is used automatically under PHP 5.3 when internal PHP save handlers are specified using the Native*SessionHandler classes, while Symfony\Component\HttpFoundation\Session\Storage\Handler\SessionHandlerProxy will be used to wrap any custom save handlers, that implement SessionHandlerInterface.

From PHP 5.4 and above, all session handlers implement SessionHandlerInterface including Native*SessionHandler classes which inherit from SessionHandler.

The proxy mechanism allows you to get more deeply involved in session save handler classes. A proxy for example could be used to encrypt any session transaction without knowledge of the specific save handler.


Before PHP 5.4, you can only proxy user-land save handlers but not native PHP save handlers.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.