Slenix
HTTP Session
Introduction
HTTP applications are inherently stateless. To maintain user-specific data across multiple requests, sessions provide a secure and persistent mechanism. The Session class in the Slenix framework offers a unified API for managing session data, including storage, retrieval, flash data, and session lifecycle management.
Unlike raw PHP sessions, the Session class enforces secure defaults such as HttpOnly cookies, SameSite=Lax, and strict mode, reducing risks like session fixation and XSS.
Configuration
Sessions are automatically configured when using the Session::start() method. The following options are applied by default:
- cookie_secure — Cookies are only sent over HTTPS if available.
- cookie_httponly — Prevents JavaScript access to session cookies.
- cookie_samesite — Defaults to
Laxto mitigate CSRF attacks. - usestrictmode — Rejects uninitialized session IDs.
- useonlycookies — Disables URL-based session IDs.
No external configuration file is required; these defaults are enforced internally.
Interacting With the Session
Starting the Session
Session::start();This initializes the session with secure cookie parameters. It is automatically called by other methods, so you rarely need to invoke it directly.
Storing Data
Session::set('key', 'value');Stores a value under the given key. If the session is not yet started, it will be initialized automatically.
Retrieving Data
$value = Session::get('key');
$value = Session::get('key', 'default');Retrieves the value for a given key. If the key does not exist, the provided default will be returned.
Checking Existence
if (Session::has('user')) {
// Key exists and is not null
}Returns true if the key exists in the session.
Retrieving All Data
$data = Session::all();Returns an associative array of all session data.
Removing Data
Session::remove('key');Deletes a specific key from the session.
Flash Data
Flash data is temporary and only persists for the next request. This is useful for status messages or form inputs.
Storing Flash Data
Session::flash('status', 'Task completed!');Retrieving Flash Data
$message = Session::getFlash('status', 'No status');Retrieves and deletes the flash data in one call.
Checking Flash Data
if (Session::hasFlash('status')) {
// Flash data exists
}Old Input
Form inputs can be flashed to repopulate fields:
Session::flashOldInput($_POST);This stores all submitted inputs as flash data, accessible in the next request.
Regenerating the Session ID
Session::regenerateId(true);Regenerates the session ID to prevent fixation attacks. The optional parameter true destroys the old session.
Destroying the Session
Session::destroy();Clears all session data, invalidates the cookie, and destroys the session.
Redirects and Flash Data
The global redirect() helper integrates with the session to automatically flash data between requests:
redirect('/home')->with('success', 'Saved!');
redirect()->back()->withErrors(['email' => 'Invalid']);
redirect('/login')->withInput();Flash data is stored using Session::flash and available in the next request.
Method Reference
| Method | Description | Example |
|---|---|---|
start() | Initializes the session with secure defaults. | Session::start(); |
set($key, $value) | Stores a value under a key. | Session::set('user', $user); |
get($key, $default) | Retrieves a value or default. | Session::get('user', null); |
has($key) | Checks if a key exists. | Session::has('token'); |
all() | Returns all session data. | $data = Session::all(); |
remove($key) | Deletes a key. | Session::remove('cart'); |
regenerateId($deleteOld) | Regenerates session ID. | Session::regenerateId(true); |
destroy() | Clears and destroys session. | Session::destroy(); |
flash($key, $value) | Stores flash data. | Session::flash('status', 'OK'); |
getFlash($key, $default) | Retrieves and deletes flash data. | Session::getFlash('status'); |
hasFlash($key) | Checks if flash data exists. | Session::hasFlash('status'); |
flashOldInput($data) | Stores old form inputs. | Session::flashOldInput($_POST); |