What is a Session?
Sessions are used to store information about the user temporarily across the requests.
How to configure your session file in laravel
The session configuration file is stored in config/session.php
, from this file you can change the session driver, session lifetime, and more.
For example, if you want to encrypt
all your session data you can configure it easily from the config/session.php
file.
Change Session driver
By default, laravel is configured to use the file
session driver which is store your sessions files in storage/framework/sessions
.
But you can change the path where sessions are saved and you can also change the session driver by drivers provided by laravel from the config/session.php
file.
cookie
: sessions are stored in secure, encrypted cookies.database
: sessions are stored in a relational database.memcached / redis
: sessions are stored in one of these fast, cache-based stores.dynamodb
: sessions are stored in AWS DynamoDB.array
: sessions are stored in a PHP array and will not be persisted.
However, You can read more about the Driver Prerequisites
if you want to store the sessions in a database
from this Link
How to Store And Retrieve Sessions
If you want to store/retrieve sessions in laravel there are two possible ways
1. From session()
helper method
When you declare the session()
helper with an array of key/values pairs those values will be stored in the session :
// Store data in the session
session(['key' => 'value']);
But if you declare the session()
helper with a single string argument it will return the value of that session
session('key') // returns the value
Check if the session data is stored
If you want to check If An Item Exists In The Session you can use the has()
method returns ´true´ if the item is present and is not null
:
$request->session()->has('key') // true or false
And if you want To check if an item is present in the session, even if its value is null
, you may use the exists
method:
$request->session()->exists('key')
2. From the request
instance
You can store the session with a request
instance or from the request()
helper method which returns the current request instance :
$request->session()->put('key' , 'value');
You can also retrieve session data :
$value = $request->session()->get('key');
Retrieving & Deleting An Item
If you want to retrieve
and delete
an item in a single statement you can use the pull()
method :
$value = request()->session()->pull('name');
How to delete sessions Data
To delete sessions data you can use the forget()
method :
$request->session()->forget('key');
$request->session()->forget(['key1', 'key2']);
And If you would like to remove all data from the session, you may use the flush()
method :
$request->session()->flush();
How to use Session Flash
Flash data
is session data that is only kept for a single request. It is most often used for success/failure messages that automatically disappear after a page refresh.
To use flash data, laravel provides a helpful method called flash()
that accepts a key and its value :
request->session()->flash('status' , 'Article Added');
How to protect your web application from session attacks
Regenerating The Session ID
Session regeneration is about setting a new value of a session ID It mainly helps prevent session fixation attacks
.
Session fixation attacks is where a malicious user tries to exploit the vulnerability in a system to fixate (set) the session ID of another user. By doing so, they will get complete access as the original user and be able to do tasks that would otherwise require authentication.
And because of that Laravel automatically regenerates the session ID during authentication if you are using one of the Laravel starter kits
(read more)
but you can manually regenerate the session ID with the regenerate()
method :
$request->session()->regenerate();
laravel also provides another method that regenerates
session ID and removes
all previous session data
$request->session()->invalidate();