Session

The Session class in PHPFast provides a structured way to manage user sessions securely. It includes features like:

Basic session handling (start, set, get, delete, destroy). Flash messages (temporary session data that disappears after one request). Security features such as session regeneration to prevent session fixation attacks. Session timeout handling to automatically destroy inactive sessions. CSRF protection with token generation and validation.

Managing Session Variables

set()

Stores a session variable with a given key and value.

Example:

Session::set('user_id', 123); // Stores user ID in session

get()

Retrieves the value of a session variable using its key.

Example:

$user_id = Session::get('user_id'); // Retrieves user ID from session

del()

Completely clears all session data, effectively logging out the user and resetting the session

Example:

Session::del('user_id'); // Deletes the user_id session variable

destroy()

Completely clears all session data, effectively logging out the user and resetting the session.

Example:

Session::destroy(); // Logs out the user and clears all session data

has()

Checks if a session variable exists, allowing conditional logic based on whether a specific piece of session data is present.

Example:

if (Session::has('user_id')) {
    echo "User is logged in!";
}

Flash Messages

flash()

Storing a Flash Message

Example:

Session::flash('success', 'User created successfully!');

Retrieving a Flash Message

Example:

echo Session::flash('success'); // Displays message and removes it from session

has_flash()

Checking a Flash Message

Example:

if(Session::has_flash('success')){
    echo Session::flash('success');
}

Enhancing Session Security

regenerate()

Generates a new session ID while keeping existing session data intact. This prevents session fixation attacks, where attackers attempt to exploit predefined session IDs. It is commonly used after login to prevent unauthorized access.

Example:

Session::regenerate(); // Refreshes session ID after login

checkSessionTimeout()

Enforces a session timeout based on user inactivity. If the user remains inactive beyond the specified time limit (e.g., 1800 seconds for 30 minutes), the session is invalidated, and the user is logged out automatically.

Example:

Session::checkSessionTimeout(1800); // Auto-logout after 30 minutes of inactivity

CSRF Protection

CSRF tokens protect forms from unauthorized requests.

csrf_token()

Generates a unique CSRF token, which should be included in forms as a hidden field. This ensures that each form submission is validated before being processed.

Example:

$csrfToken = Session::csrf_token();

// Render a form
<input type="hidden" name="csrf_token" value="$csrfToken">

csrf_verify()

Checks the submitted CSRF token against the stored token to ensure the request is legitimate. If the verification fails, the request is blocked, protecting against unauthorized form submissions.

Example:

// When form submited
if (!Session::csrf_verify($_POST['csrf_token'])) {
    die("Invalid request!");
}

PreviousSecurityNextTask Queue

Last updated

Was this helpful?