Session

The Session class in PHPFast provides a structured way to manage user sessions securely. It includes features like:

Basic session handling (start, set, get, delete, destroy). Flash messages (temporary session data that disappears after one request). Security features such as session regeneration to prevent session fixation attacks. Session timeout handling to automatically destroy inactive sessions. CSRF protection with token generation and validation.

Managing Session Variables

`set()`

Stores a session variable with a given key and value.

Example:

Session::set('user_id', 123); // Stores user ID in session

`get()`

Retrieves the value of a session variable using its key.

Example:

$user_id = Session::get('user_id'); // Retrieves user ID from session

`del()`

Completely clears all session data, effectively logging out the user and resetting the session

Example:

Session::del('user_id'); // Deletes the user_id session variable

`destroy()`

Completely clears all session data, effectively logging out the user and resetting the session.

Example:

Session::destroy(); // Logs out the user and clears all session data

`has()`

Checks if a session variable exists, allowing conditional logic based on whether a specific piece of session data is present.

Example:

if (Session::has('user_id')) {
    echo "User is logged in!";
}

Flash Messages

`flash()`

Storing a Flash Message

Example:

Session::flash('success', 'User created successfully!');

Retrieving a Flash Message

Example:

echo Session::flash('success'); // Displays message and removes it from session

`has_flash()`

Checking a Flash Message

Example:

if(Session::has_flash('success')){
    echo Session::flash('success');
}

Enhancing Session Security

`regenerate()`

Generates a new session ID while keeping existing session data intact. This prevents session fixation attacks, where attackers attempt to exploit predefined session IDs. It is commonly used after login to prevent unauthorized access.

Example:

Session::regenerate(); // Refreshes session ID after login

`checkSessionTimeout()`

Enforces a session timeout based on user inactivity. If the user remains inactive beyond the specified time limit (e.g., 1800 seconds for 30 minutes), the session is invalidated, and the user is logged out automatically.

Example:

Session::checkSessionTimeout(1800); // Auto-logout after 30 minutes of inactivity

CSRF Protection

CSRF tokens protect forms from unauthorized requests.

`csrf_token()`

Generates a unique CSRF token, which should be included in forms as a hidden field. This ensures that each form submission is validated before being processed.

Example:

$csrfToken = Session::csrf_token();

// Render a form
<input type="hidden" name="csrf_token" value="$csrfToken">

`csrf_verify()`

Checks the submitted CSRF token against the stored token to ensure the request is legitimate. If the verification fails, the request is blocked, protecting against unauthorized form submissions.

Example:

// When form submited
if (!Session::csrf_verify($_POST['csrf_token'])) {
    die("Invalid request!");
}

PreviousSecurity NextTask Queue

Last updated 9 months ago

Was this helpful?

hashtagManaging Session Variables

hashtagset()

hashtagget()

hashtagdel()

hashtagdestroy()

hashtaghas()

hashtagFlash Messages

hashtag flash()

hashtagStoring a Flash Message

hashtagRetrieving a Flash Message

hashtaghas_flash()

hashtagChecking a Flash Message

hashtagEnhancing Session Security

hashtag regenerate()

hashtagcheckSessionTimeout()

hashtagCSRF Protection

hashtagcsrf_token()

hashtag csrf_verify()

Managing Session Variables

`set()`

`get()`

`del()`

`destroy()`

`has()`

Flash Messages

`flash()`

Storing a Flash Message

Retrieving a Flash Message

`has_flash()`

Checking a Flash Message

Enhancing Session Security

`regenerate()`

`checkSessionTimeout()`

CSRF Protection

`csrf_token()`

`csrf_verify()`