Table of contents
- What is a Session?
- How to configure your session file in laravel
- How to Store And Retrieve Sessions
- How to delete sessions Data
- How to use Session Flash
- How to protect your web application from session attacks
What is a Session?
Sessions are used to store information about the user temporarily across the requests.
How to configure your session file in laravel
The session configuration file is stored in
config/session.php, from this file you can change the session driver, session lifetime, and more.
For example, if you want to
encrypt all your session data you can configure it easily from the
Change Session driver
By default, laravel is configured to use the
file session driver which is store your sessions files in
But you can change the path where sessions are saved and you can also change the session driver by drivers provided by laravel from the
cookie: sessions are stored in secure, encrypted cookies.
database: sessions are stored in a relational database.
memcached / redis: sessions are stored in one of these fast, cache-based stores.
dynamodb: sessions are stored in AWS DynamoDB.
array: sessions are stored in a PHP array and will not be persisted.
However, You can read more about the
Driver Prerequisites if you want to store the sessions in a
database from this Link
How to Store And Retrieve Sessions
If you want to store/retrieve sessions in laravel there are two possible ways
session() helper method
When you declare the
session() helper with an array of key/values pairs those values will be stored in the session :
// Store data in the session session(['key' => 'value']);
But if you declare the
session() helper with a single string argument it will return the value of that session
session('key') // returns the value
Check if the session data is stored
If you want to check If An Item Exists In The Session you can use the
has() method returns ´true´ if the item is present and is
$request->session()->has('key') // true or false
And if you want To check if an item is present in the session, even if its value is
null, you may use the
2. From the
You can store the session with a
request instance or from the
request() helper method which returns the current request instance :
$request->session()->put('key' , 'value');
You can also retrieve session data :
$value = $request->session()->get('key');
Retrieving & Deleting An Item
If you want to
delete an item in a single statement you can use the
pull() method :
$value = request()->session()->pull('name');
How to delete sessions Data
To delete sessions data you can use the
forget() method :
$request->session()->forget('key'); $request->session()->forget(['key1', 'key2']);
And If you would like to remove all data from the session, you may use the
flush() method :
How to use Session Flash
Flash data is session data that is only kept for a single request. It is most often used for success/failure messages that automatically disappear after a page refresh.
To use flash data, laravel provides a helpful method called
flash() that accepts a key and its value :
request->session()->flash('status' , 'Article Added');
How to protect your web application from session attacks
Regenerating The Session ID
Session regeneration is about setting a new value of a session ID It mainly helps prevent
session fixation attacks.
Session fixation attacks is where a malicious user tries to exploit the vulnerability in a system to fixate (set) the session ID of another user. By doing so, they will get complete access as the original user and be able to do tasks that would otherwise require authentication.
And because of that Laravel automatically regenerates the session ID during authentication if you are using one of the
Laravel starter kits (read more)
but you can manually regenerate the session ID with the
regenerate() method :
laravel also provides another method that
regenerates session ID and
removes all previous session data
Did you find this article valuable?
Support mostafa amine by becoming a sponsor. Any amount is appreciated!