# Session

The `Session` class in **PHPFast** provides a structured way to manage user sessions securely. It includes features like:

**Basic session handling** (start, set, get, delete, destroy).\
**Flash messages** (temporary session data that disappears after one request).\
**Security features** such as session regeneration to prevent session fixation attacks.\
**Session timeout handling** to automatically destroy inactive sessions.\
**CSRF protection** with token generation and validation.

## Managing Session Variables

### `set()`

Stores a session variable with a given key and value.

Example:

```php
Session::set('user_id', 123); // Stores user ID in session
```

### `get()`

Retrieves the value of a session variable using its key.

Example:

```php
$user_id = Session::get('user_id'); // Retrieves user ID from session
```

### `del()`

Completely clears all session data, effectively logging out the user and resetting the session

Exampl&#x65;**:**

```php
Session::del('user_id'); // Deletes the user_id session variable
```

### `destroy()`

Completely clears all session data, effectively logging out the user and resetting the session.

Exampl&#x65;**:**

```php
Session::destroy(); // Logs out the user and clears all session data
```

### `has()`

Checks if a session variable exists, allowing conditional logic based on whether a specific piece of session data is present.

Example:

```php
if (Session::has('user_id')) {
    echo "User is logged in!";
}
```

## Flash Messages

### &#x20;`flash()`

#### **Storing a Flash Message**

Exampl&#x65;**:**

```php
Session::flash('success', 'User created successfully!');
```

#### **Retrieving a Flash Message**

Exampl&#x65;**:**

<pre class="language-php"><code class="lang-php"><strong>echo Session::flash('success'); // Displays message and removes it from session
</strong></code></pre>

### `has_flash()`

#### **Checking a Flash Message**

Exampl&#x65;**:**

```php
if(Session::has_flash('success')){
    echo Session::flash('success');
}
```

## Enhancing Session Security

### &#x20;`regenerate()`

Generates a new session ID while keeping existing session data intact. This prevents session fixation attacks, where attackers attempt to exploit predefined session IDs. It is commonly used after login to prevent unauthorized access.

Exampl&#x65;**:**

```php
Session::regenerate(); // Refreshes session ID after login
```

### `checkSessionTimeout()`

Enforces a session timeout based on user inactivity. If the user remains inactive beyond the specified time limit (e.g., `1800` seconds for 30 minutes), the session is invalidated, and the user is logged out automatically.

Example:

```php
Session::checkSessionTimeout(1800); // Auto-logout after 30 minutes of inactivity
```

## CSRF Protection

CSRF tokens protect forms from unauthorized requests.

#### `csrf_token()`

Generates a unique **CSRF token**, which should be included in forms as a hidden field. This ensures that each form submission is validated before being processed.

Example:

```php
$csrfToken = Session::csrf_token();

// Render a form
<input type="hidden" name="csrf_token" value="$csrfToken">
```

#### &#x20;`csrf_verify()`

Checks the submitted **CSRF token** against the stored token to ensure the request is legitimate. If the verification fails, the request is blocked, protecting against unauthorized form submissions.

Example:

```php
// When form submited
if (!Session::csrf_verify($_POST['csrf_token'])) {
    die("Invalid request!");
}
```