Session Management
Warning: You are browsing the documentation for Symfony 4.x, which is no longer maintained.
Consider upgrading your projects to Symfony 7.2.
The Symfony HttpFoundation component has a very powerful and flexible session subsystem which is designed to provide session management through a clear object-oriented interface using a variety of session storage drivers.
Sessions are used via the Session implementation of SessionInterface interface.
Caution
Make sure your PHP session isn't already started before using the Session class. If you have a legacy session system that starts your session, see Legacy Sessions.
Quick example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
use Symfony\Component\HttpFoundation\Session\Session;
$session = new Session();
$session->start();
// set and get session attributes
$session->set('name', 'Drak');
$session->get('name');
// set flash messages
$session->getFlashBag()->add('notice', 'Profile updated');
// retrieve messages
foreach ($session->getFlashBag()->get('notice', []) as $message) {
echo '<div class="flash-notice">'.$message.'</div>';
}
Note
Symfony sessions are designed to replace several native PHP functions.
Applications should avoid using session_start()
, session_regenerate_id()
,
session_id()
, session_name()
, and session_destroy()
and instead
use the APIs in the following section.
Note
While it is recommended to explicitly start a session, a session will actually start on demand, that is, if any session request is made to read/write session data.
Caution
Symfony sessions are incompatible with php.ini
directive session.auto_start = 1
This directive should be turned off in php.ini
, in the web server directives or
in .htaccess
.
Session API
The Session class implements SessionInterface.
The Session has the following API, divided into a couple of groups.
Session Workflow
- start()
-
Starts the session - do not use
session_start()
. - migrate()
-
Regenerates the session ID - do not use
session_regenerate_id()
. This method can optionally change the lifetime of the new cookie that will be emitted by calling this method. - invalidate()
-
Clears all session data and regenerates session ID. Do not use
session_destroy()
. - getId()
-
Gets the session ID. Do not use
session_id()
. - setId()
-
Sets the session ID. Do not use
session_id()
. - getName()
-
Gets the session name. Do not use
session_name()
. - setName()
-
Sets the session name. Do not use
session_name()
.
Session Attributes
The session attributes are stored internally in a "Bag", a PHP object that acts
like an array. They can be set, removed, checked, etc. using the methods
explained later in this article for the AttributeBagInterface
class. See
Session Management.
In addition, a few methods exist for "Bag" management:
- registerBag()
- Registers a SessionBagInterface.
- getBag()
- Gets a SessionBagInterface by bag name.
- getFlashBag()
- Gets the FlashBagInterface. This is just a shortcut for convenience.
Session Metadata
- getMetadataBag()
- Gets the MetadataBag which contains information about the session.
Session Data Management
PHP's session management requires the use of the $_SESSION
super-global,
however, this interferes somewhat with code testability and encapsulation in an
OOP paradigm. To help overcome this, Symfony uses session bags linked to the
session to encapsulate a specific dataset of attributes or flash messages.
This approach also mitigates namespace pollution within the $_SESSION
super-global because each bag stores all its data under a unique namespace.
This allows Symfony to peacefully co-exist with other applications or libraries
that might use the $_SESSION
super-global and all data remains completely
compatible with Symfony's session management.
Symfony provides two kinds of storage bags, with two separate implementations. Everything is written against interfaces so you may extend or create your own bag types if necessary.
SessionBagInterface has the following API which is intended mainly for internal purposes:
- getStorageKey()
-
Returns the key which the bag will ultimately store its array under in
$_SESSION
. Generally this value can be left at its default and is for internal use. - initialize()
- This is called internally by Symfony session storage classes to link bag data to the session.
- getName()
- Returns the name of the session bag.
- clear()
- Clears out data from the bag.
Attributes
The purpose of the bags implementing the AttributeBagInterface is to handle session attribute storage. This might include things like user ID, and "Remember Me" login settings or other user based state information.
- AttributeBag
- This is the standard default implementation.
- NamespacedAttributeBag
- This implementation allows for attributes to be stored in a structured namespace.
AttributeBagInterface has the API
- set()
-
Sets an attribute by name (
set('name', 'value')
). - get()
-
Gets an attribute by name (
get('name')
) and can define a default value when the attribute doesn't exist (get('name', 'default_value')
). - all()
-
Gets all attributes as an associative array of
name => value
. - has()
-
Returns
true
if the attribute exists. - replace()
-
Sets multiple attributes at once using an associative array (
name => value
). If the attributes existed, they are replaced; if not, they are created. - remove()
- Deletes an attribute by name and returns its value.
- clear()
- Deletes all attributes.
Example:
1 2 3 4 5 6 7 8 9 10 11 12
use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBag;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
$session = new Session(new NativeSessionStorage(), new AttributeBag());
$session->set('token', 'a6c1e0b6');
// ...
$token = $session->get('token');
// if the attribute may or may not exist, you can define a default value for it
$token = $session->get('attribute-name', 'default-attribute-value');
// ...
$session->clear();
Namespaced Attributes
Any plain key-value storage system is limited in the extent to which
complex data can be stored since each key must be unique. You can achieve
namespacing by introducing a naming convention to the keys so different parts of
your application could operate without clashing. For example, module1.foo
and
module2.foo
. However, sometimes this is not very practical when the attributes
data is an array, for example a set of tokens. In this case, managing the array
becomes a burden because you have to retrieve the array then process it and
store it again:
1 2 3 4 5 6
$tokens = [
'tokens' => [
'a' => 'a6c1e0b6',
'b' => 'f4a7b1f3',
],
];
So any processing of this might quickly get ugly, even adding a token to the array:
1 2 3
$tokens = $session->get('tokens');
$tokens['c'] = $value;
$session->set('tokens', $tokens);
With structured namespacing, the key can be translated to the array
structure like this using a namespace character (which defaults to /
):
1 2 3 4 5
// ...
use Symfony\Component\HttpFoundation\Session\Attribute\NamespacedAttributeBag;
$session = new Session(new NativeSessionStorage(), new NamespacedAttributeBag());
$session->set('tokens/c', $value);
Flash Messages
The purpose of the FlashBagInterface is to provide a way of setting and retrieving messages on a per session basis. The usual workflow would be to set flash messages in a request and to display them after a page redirect. For example, a user submits a form which hits an update controller, and after processing the controller redirects the page to either the updated page or an error page. Flash messages set in the previous page request would be displayed immediately on the subsequent page load for that session. This is however just one application for flash messages.
- AutoExpireFlashBag
- In this implementation, messages set in one page-load will be available for display only on the next page load. These messages will auto expire regardless of if they are retrieved or not.
- FlashBag
- In this implementation, messages will remain in the session until they are explicitly retrieved or cleared. This makes it possible to use ESI caching.
FlashBagInterface has the API
- add()
- Adds a flash message to the stack of specified type.
- set()
-
Sets flashes by type; This method conveniently takes both single messages as
a
string
or multiple messages in anarray
. - get()
- Gets flashes by type and clears those flashes from the bag.
- setAll()
-
Sets all flashes, accepts a keyed array of arrays
type => [messages]
. - all()
- Gets all flashes (as a keyed array of arrays) and clears the flashes from the bag.
- peek()
- Gets flashes by type (read only).
- peekAll()
- Gets all flashes (read only) as a keyed array of arrays.
- has()
- Returns true if the type exists, false if not.
- keys()
- Returns an array of the stored flash types.
- clear()
- Clears the bag.
For simple applications it is usually sufficient to have one flash message per
type, for example a confirmation notice after a form is submitted. However,
flash messages are stored in a keyed array by flash $type
which means your
application can issue multiple messages for a given type. This allows the API
to be used for more complex messaging in your application.
Examples of setting multiple flashes:
1 2 3 4 5 6 7 8 9 10 11 12
use Symfony\Component\HttpFoundation\Session\Session;
$session = new Session();
$session->start();
// add flash messages
$session->getFlashBag()->add(
'warning',
'Your config file is writable, it should be set read-only'
);
$session->getFlashBag()->add('error', 'Failed to update name');
$session->getFlashBag()->add('error', 'Another error');
Displaying the flash messages might look as follows.
Display one type of message:
1 2 3 4 5 6 7 8 9
// display warnings
foreach ($session->getFlashBag()->get('warning', []) as $message) {
echo '<div class="flash-warning">'.$message.'</div>';
}
// display errors
foreach ($session->getFlashBag()->get('error', []) as $message) {
echo '<div class="flash-error">'.$message.'</div>';
}
Compact method to process display all flashes at once:
1 2 3 4 5
foreach ($session->getFlashBag()->all() as $type => $messages) {
foreach ($messages as $message) {
echo '<div class="flash-'.$type.'">'.$message.'</div>';
}
}