Session

ZephyrPHP provides a simple, secure session management system for storing user data across requests.

Configuration

Configure sessions in config/session.php:

<?php

return [
    'name' => env('SESSION_NAME', 'zephyr_session'),
    'lifetime' => env('SESSION_LIFETIME', 120), // minutes
    'path' => '/',
    'domain' => env('SESSION_DOMAIN', null),
    'secure' => env('SESSION_SECURE', false),
    'httponly' => true,
    'samesite' => 'Lax',
];

Basic Usage

Accessing the Session

// In a controller
$value = $this->session->get('key');

// Using the helper function
$value = session('key');

// With default value
$value = session('key', 'default');

Storing Data

// Set a value
$this->session->set('user_id', 123);

// Set multiple values
$this->session->set('user', [
    'id' => 123,
    'name' => 'John Doe'
]);

Retrieving Data

// Get a value
$userId = $this->session->get('user_id');

// Get with default
$role = $this->session->get('role', 'guest');

// Check if key exists
if ($this->session->has('user_id')) {
    // User is logged in
}

Removing Data

// Remove a single key
$this->session->remove('temporary_data');

// Clear all session data
$this->session->clear();

// Destroy the session completely
$this->session->destroy();

Flash Messages

Flash data is available only for the next request, perfect for status messages:

Setting Flash Messages

// In your controller
$this->flash('success', 'User created successfully!');
$this->flash('error', 'Something went wrong.');
$this->flash('warning', 'Please review your input.');
$this->flash('info', 'Your session will expire soon.');

return $this->redirect('/users');

Displaying Flash Messages

{% if session('flash_success') %}
    <div class="alert alert-success">
        {{ session('flash_success') }}
    </div>
{% endif %}

{% if session('flash_error') %}
    <div class="alert alert-danger">
        {{ session('flash_error') }}
    </div>
{% endif %}

{% if session('flash_warning') %}
    <div class="alert alert-warning">
        {{ session('flash_warning') }}
    </div>
{% endif %}

{% if session('flash_info') %}
    <div class="alert alert-info">
        {{ session('flash_info') }}
    </div>
{% endif %}

Reusable Flash Component

pages/partials/flash.twig
{% set flashTypes = ['success', 'error', 'warning', 'info'] %}

{% for type in flashTypes %}
    {% set message = session('flash_' ~ type) %}
    {% if message %}
        <div class="alert alert-{{ type == 'error' ? 'danger' : type }}">
            {{ message }}
        </div>
    {% endif %}
{% endfor %}

Then include it in your layouts:

{% include 'partials/flash.twig' %}

CSRF Tokens

Get and verify CSRF tokens through the session:

// Get the current CSRF token
$token = $this->session->csrf();

// Regenerate the CSRF token
$newToken = $this->session->regenerateCsrf();

// Verify a submitted token
if ($this->session->verifyCsrf($submittedToken)) {
    // Token is valid
}

Old Input

Preserve form input after validation failures:

Flashing Input

// When validation fails
$this->session->flashInput($this->request->all());

Retrieving Old Input

// In your controller
$name = $this->session->getOldInput('name');

// In Twig templates
<input type="text" name="name" value="{{ old('name') }}">

Session in Templates

Access session data in Twig templates:

{# Get session value #}
{{ session('user_name') }}

{# Check if exists #}
{% if session('user_id') %}
    Welcome back!
{% endif %}

{# With default #}
{{ session('theme', 'light') }}

Authentication Example

Common session patterns for authentication:

<?php

class AuthController extends Controller
{
    public function login()
    {
        $credentials = $this->validate([
            'email' => 'required|email',
            'password' => 'required',
        ]);

        $user = User::findOneBy(['email' => $credentials['email']]);

        if (!$user || !password_verify($credentials['password'], $user->password)) {
            $this->flash('error', 'Invalid credentials');
            return $this->back();
        }

        // Store user in session
        $this->session->set('user_id', $user->id);
        $this->session->set('user_name', $user->name);

        // Regenerate CSRF token
        $this->session->regenerateCsrf();

        $this->flash('success', 'Welcome back!');
        return $this->redirect('/dashboard');
    }

    public function logout()
    {
        $this->session->destroy();

        return $this->redirect('/');
    }

    public function profile()
    {
        if (!$this->session->has('user_id')) {
            return $this->redirect('/login');
        }

        $userId = $this->session->get('user_id');
        $user = User::find($userId);

        return $this->render('profile', ['user' => $user]);
    }
}

Session Security

Regenerating Session ID

Regenerate the session ID after sensitive operations:

// After login
session_regenerate_id(true);

Secure Cookie Settings

# In .env for production
SESSION_SECURE=true  # Requires HTTPS
SESSION_DOMAIN=.yourdomain.com

Session Lifetime

# In .env
SESSION_LIFETIME=120  # 2 hours in minutes

Method Reference

Method Description
get($key, $default) Get a session value
set($key, $value) Set a session value
has($key) Check if key exists
remove($key) Remove a session value
clear() Clear all session data
destroy() Destroy the session
flash($key, $value) Set flash data
csrf() Get CSRF token
verifyCsrf($token) Verify CSRF token
flashInput($data) Flash form input
getOldInput($key) Get old input value

© 2026 ZephyrPHP Framework. Released under the MIT License.