Cover of the book Symfony 5: The Fast Track

Symfony 5: The Fast Track is the best book to learn modern Symfony development, from zero to production. +300 pages showcasing Symfony with Docker, APIs, queues & async tasks, Webpack, SPAs, etc.

WARNING: You are browsing the documentation for Symfony 2.2 which is not maintained anymore. Consider upgrading your projects to Symfony 5.1.

Session Management

Session Management

The Symfony2 HttpFoundation component has a very powerful and flexible session subsystem which is designed to provide session management through a simple object-oriented interface using a variety of session storage drivers.

New in version 2.1: The Symfony\Component\HttpFoundation\Session\SessionInterface interface, as well as a number of other changes, are new as of Symfony 2.1.

Sessions are used via the simple Symfony\Component\HttpFoundation\Session\Session implementation of Symfony\Component\HttpFoundation\Session\SessionInterface interface.

Quick example:

use Symfony\Component\HttpFoundation\Session\Session;

$session = new Session();

// set and get session attributes
$session->set('name', 'Drak');

// set flash messages
$session->getFlashBag()->add('notice', 'Profile updated');

// retrieve messages
foreach ($session->getFlashBag()->get('notice', array()) as $message) {
    echo "<div class='flash-notice'>$message</div>";


Symfony sessions are designed to replace several native PHP functions. Applications should avoid using session_start(), session_regenerate_id(), session_id(), session_name(), and session_destroy() and instead use the APIs in the following section.


While it is recommended to explicitly start a session, a sessions will actually start on demand, that is, if any session request is made to read/write session data.


Symfony sessions are incompatible with php.ini directive session.auto_start = 1 This directive should be turned off in php.ini, in the webserver directives or in .htaccess.

Session API

The Symfony\Component\HttpFoundation\Session\Session class implements Symfony\Component\HttpFoundation\Session\SessionInterface.

The Symfony\Component\HttpFoundation\Session\Session has a simple API as follows divided into a couple of groups.

Session workflow

  • start(): Starts the session - do not use session_start();
  • migrate(): Regenerates the session ID - do not use session_regenerate_id(). This method can optionally change the lifetime of the new cookie that will be emitted by calling this method;
  • invalidate(): Clears all session data and regenerates session ID. Do not use session_destroy();
  • getId(): Gets the session ID. Do not use session_id();
  • setId(): Sets the session ID. Do not use session_id();
  • getName(): Gets the session name. Do not use session_name();
  • setName(): Sets the session name. Do not use session_name().

Session attributes

  • set(): Sets an attribute by key;
  • get(): Gets an attribute by key;
  • all(): Gets all attributes as an array of key => value;
  • has(): Returns true if the attribute exists;
  • replace(): Sets multiple attributes at once: takes a keyed array and sets each key => value pair;
  • remove(): Deletes an attribute by key;
  • clear(): Clear all attributes.

The attributes are stored internally in an “Bag”, a PHP object that acts like an array. A few methods exist for “Bag” management:

  • registerBag(): Registers a Symfony\Component\HttpFoundation\Session\SessionBagInterface;
  • getBag(): Gets a Symfony\Component\HttpFoundation\Session\SessionBagInterface by bag name;
  • getFlashBag(): Gets the Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface. This is just a shortcut for convenience.

Session meta-data

  • getMetadataBag(): Gets the Symfony\Component\HttpFoundation\Session\Storage\MetadataBag which contains information about the session.

Session Data Management

PHP’s session management requires the use of the $_SESSION super-global, however, this interferes somewhat with code testability and encapsulation in a OOP paradigm. To help overcome this, Symfony2 uses ‘session bags’ linked to the session to encapsulate a specific dataset of ‘attributes’ or ‘flash messages’.

This approach also mitigates namespace pollution within the $_SESSION super-global because each bag stores all its data under a unique namespace. This allows Symfony2 to peacefully co-exist with other applications or libraries that might use the $_SESSION super-global and all data remains completely compatible with Symfony2’s session management.

Symfony2 provides 2 kinds of storage bags, with two separate implementations. Everything is written against interfaces so you may extend or create your own bag types if necessary.

Symfony\Component\HttpFoundation\Session\SessionBagInterface has the following API which is intended mainly for internal purposes:

  • getStorageKey(): Returns the key which the bag will ultimately store its array under in $_SESSION. Generally this value can be left at its default and is for internal use.
  • initialize(): This is called internally by Symfony2 session storage classes to link bag data to the session.
  • getName(): Returns the name of the session bag.


The purpose of the bags implementing the Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface is to handle session attribute storage. This might include things like user ID, and remember me login settings or other user based state information.

  • Symfony\Component\HttpFoundation\Session\Attribute\AttributeBag This is the standard default implementation.
  • Symfony\Component\HttpFoundation\Session\Attribute\NamespacedAttributeBag This implementation allows for attributes to be stored in a structured namespace.

Any plain key => value storage system is limited in the extent to which complex data can be stored since each key must be unique. You can achieve namespacing by introducing a naming convention to the keys so different parts of your application could operate without clashing. For example, and However, sometimes this is not very practical when the attributes data is an array, for example a set of tokens. In this case, managing the array becomes a burden because you have to retrieve the array then process it and store it again:

$tokens = array('tokens' => array('a' => 'a6c1e0b6',
                                  'b' => 'f4a7b1f3'));

So any processing of this might quickly get ugly, even simply adding a token to the array:

$tokens = $session->get('tokens');
$tokens['c'] = $value;
$session->set('tokens', $tokens);

With structured namespacing, the key can be translated to the array structure like this using a namespace character (defaults to /):

$session->set('tokens/c', $value);

This way you can easily access a key within the stored array directly and easily.

Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface has a simple API

  • set(): Sets an attribute by key;
  • get(): Gets an attribute by key;
  • all(): Gets all attributes as an array of key => value;
  • has(): Returns true if the attribute exists;
  • keys(): Returns an array of stored attribute keys;
  • replace(): Sets multiple attributes at once: takes a keyed array and sets each key => value pair.
  • remove(): Deletes an attribute by key;
  • clear(): Clear the bag;

Flash messages

The purpose of the Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface is to provide a way of setting and retrieving messages on a per session basis. The usual workflow for flash messages would be set in an request, and displayed after a page redirect. For example, a user submits a form which hits an update controller, and after processing the controller redirects the page to either the updated page or an error page. Flash messages set in the previous page request would be displayed immediately on the subsequent page load for that session. This is however just one application for flash messages.

  • Symfony\Component\HttpFoundation\Session\Flash\AutoExpireFlashBag
    In this implementation, messages set in one page-load will be available for display only on the next page load. These messages will auto expire regardless of if they are retrieved or not.
  • Symfony\Component\HttpFoundation\Session\Flash\FlashBag
    In this implementation, messages will remain in the session until they are explicitly retrieved or cleared. This makes it possible to use ESI caching.

Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface has a simple API

  • add(): Adds a flash message to the stack of specified type;
  • set(): Sets flashes by type; This method conveniently takes both singles messages as a string or multiple messages in an array.
  • get(): Gets flashes by type and clears those flashes from the bag;
  • setAll(): Sets all flashes, accepts a keyed array of arrays type => array(messages);
  • all(): Gets all flashes (as a keyed array of arrays) and clears the flashes from the bag;
  • peek(): Gets flashes by type (read only);
  • peekAll(): Gets all flashes (read only) as keyed array of arrays;
  • has(): Returns true if the type exists, false if not;
  • keys(): Returns an array of the stored flash types;
  • clear(): Clears the bag;

For simple applications it is usually sufficient to have one flash message per type, for example a confirmation notice after a form is submitted. However, flash messages are stored in a keyed array by flash $type which means your application can issue multiple messages for a given type. This allows the API to be used for more complex messaging in your application.

Examples of setting multiple flashes:

use Symfony\Component\HttpFoundation\Session\Session;

$session = new Session();

// add flash messages
    'Your config file is writable, it should be set read-only'
$session->getFlashBag()->add('error', 'Failed to update name');
$session->getFlashBag()->add('error', 'Another error');

Displaying the flash messages might look as follows.

Simple, display one type of message:

// display warnings
foreach ($session->getFlashBag()->get('warning', array()) as $message) {
    echo "<div class='flash-warning'>$message</div>";

// display errors
foreach ($session->getFlashBag()->get('error', array()) as $message) {
    echo "<div class='flash-error'>$message</div>";

Compact method to process display all flashes at once:

foreach ($session->getFlashBag()->all() as $type => $messages) {
    foreach ($messages as $message) {
        echo "<div class='flash-$type'>$message</div>\n";

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.