How to use  Laravel Session

How to use Laravel Session

What is a Session?

Sessions are used to store information about the user temporarily across the requests.

How to configure your session file in laravel

The session configuration file is stored in config/session.php, from this file you can change the session driver, session lifetime, and more.

For example, if you want to encrypt all your session data you can configure it easily from the config/session.php file.

image.png

Change Session driver

By default, laravel is configured to use the file session driver which is store your sessions files in storage/framework/sessions.

image.png

But you can change the path where sessions are saved and you can also change the session driver by drivers provided by laravel from the config/session.phpfile.

  • cookie: sessions are stored in secure, encrypted cookies.
  • database: sessions are stored in a relational database.
  • memcached / redis: sessions are stored in one of these fast, cache-based stores.
  • dynamodb: sessions are stored in AWS DynamoDB.
  • array: sessions are stored in a PHP array and will not be persisted.

However, You can read more about the Driver Prerequisites if you want to store the sessions in a database from this Link

How to Store And Retrieve Sessions

If you want to store/retrieve sessions in laravel there are two possible ways

1. From session() helper method

When you declare the session() helper with an array of key/values pairs those values will be stored in the session :

// Store data in the session
session(['key' => 'value']);

But if you declare the session() helper with a single string argument it will return the value of that session

session('key') // returns the value

Check if the session data is stored

If you want to check If An Item Exists In The Session you can use the has() method returns ´true´ if the item is present and is not null:

$request->session()->has('key') // true or false

And if you want To check if an item is present in the session, even if its value is null, you may use the exists method:

$request->session()->exists('key')

2. From the request instance

You can store the session with a request instance or from the request() helper method which returns the current request instance :

$request->session()->put('key' , 'value');

You can also retrieve session data :

$value = $request->session()->get('key');

Retrieving & Deleting An Item

If you want to retrieve and delete an item in a single statement you can use the pull() method :

$value = request()->session()->pull('name');

How to delete sessions Data

To delete sessions data you can use the forget() method :

$request->session()->forget('key');
$request->session()->forget(['key1', 'key2']);

And If you would like to remove all data from the session, you may use the flush() method :

$request->session()->flush();

How to use Session Flash

Flash data is session data that is only kept for a single request. It is most often used for success/failure messages that automatically disappear after a page refresh.

To use flash data, laravel provides a helpful method called flash() that accepts a key and its value :

request->session()->flash('status' , 'Article Added');

How to protect your web application from session attacks

Regenerating The Session ID

Session regeneration is about setting a new value of a session ID It mainly helps prevent session fixation attacks.

Session fixation attacks is where a malicious user tries to exploit the vulnerability in a system to fixate (set) the session ID of another user. By doing so, they will get complete access as the original user and be able to do tasks that would otherwise require authentication.

And because of that Laravel automatically regenerates the session ID during authentication if you are using one of the Laravel starter kits (read more)

but you can manually regenerate the session ID with the regenerate() method :

$request->session()->regenerate();

laravel also provides another method that regenerates session ID and removes all previous session data

$request->session()->invalidate();

Did you find this article valuable?

Support mostafa amine by becoming a sponsor. Any amount is appreciated!