DEV Community

Cover image for How to use Laravel Session
mostafa amine briere
mostafa amine briere

Posted on

How to use Laravel Session

What is a Session?

Sessions are used to store information about the user temporarily across the requests.

How to configure your session file in laravel

The session configuration file is stored in config/session.php, from this file you can change the session driver, session lifetime, and more.

For example, if you want to encrypt all your session data you can configure it easily from the config/session.php file.

session file in laravel

Change Session driver

By default, laravel is configured to use the file session driver which is store your sessions files in storage/framework/sessions.

Change Session driver

But you can change the path where sessions are saved and you can also change the session driver by drivers provided by laravel from the config/session.phpfile.

  • cookie: sessions are stored in secure, encrypted cookies.

  • database: sessions are stored in a relational database.

  • memcached / redis: sessions are stored in one of these fast, cache-based stores.

  • dynamodb: sessions are stored in AWS DynamoDB.

  • array: sessions are stored in a PHP array and will not be persisted.

However, You can read more about the Driver Prerequisites if you want to store the sessions in a database from this Link

How to Store And Retrieve Sessions

If you want to store/retrieve sessions in laravel there are two possible ways

1. From session() helper method

When you declare the session() helper with an array of key/values pairs those values will be stored in the session :

// Store data in the session
session(['key' => 'value']);
Enter fullscreen mode Exit fullscreen mode

But if you declare the session() helper with a single string argument it will return the value of that session

session('key') // returns the value
Enter fullscreen mode Exit fullscreen mode

Check if the session data is stored

If you want to check If An Item Exists In The Session you can use the has() method returns ´true´ if the item is present and is not null:

$request->session()->has('key') // true or false
Enter fullscreen mode Exit fullscreen mode

And if you want To check if an item is present in the session, even if its value is null, you may use the exists method:

$request->session()->exists('key')
Enter fullscreen mode Exit fullscreen mode

2. From the request instance

You can store the session with a request instance or from the request() helper method which returns the current request instance :

$request->session()->put('key' , 'value');
Enter fullscreen mode Exit fullscreen mode

You can also retrieve session data :

$value = $request->session()->get('key');
Enter fullscreen mode Exit fullscreen mode

Retrieving & Deleting An Item

If you want to retrieve and delete an item in a single statement you can use the pull() method :

$value = request()->session()->pull('name');
Enter fullscreen mode Exit fullscreen mode

How to delete sessions Data

To delete sessions data you can use the forget() method :

$request->session()->forget('key');
$request->session()->forget(['key1', 'key2']);
Enter fullscreen mode Exit fullscreen mode

And If you would like to remove all data from the session, you may use the flush() method :

$request->session()->flush();
Enter fullscreen mode Exit fullscreen mode

How to use Session Flash

Flash data is session data that is only kept for a single request. It is most often used for success/failure messages that automatically disappear after a page refresh.

To use flash data, laravel provides a helpful method called flash() that accepts a key and its value :

request->session()->flash('status' , 'Article Added');
Enter fullscreen mode Exit fullscreen mode

How to protect your web application from session attacks

Regenerating The Session ID

Session regeneration is about setting a new value of a session ID It mainly helps prevent session fixation attacks.

Session fixation attacks is where a malicious user tries to exploit the vulnerability in a system to fixate (set) the session ID of another user. By doing so, they will get complete access as the original user and be able to do tasks that would otherwise require authentication.

And because of that Laravel automatically regenerates the session ID during authentication if you are using one of the Laravel starter kits (read more)

but you can manually regenerate the session ID with the regenerate() method :

$request->session()->regenerate();
Enter fullscreen mode Exit fullscreen mode

laravel also provides another method that regenerates session ID and removes all previous session data

$request->session()->invalidate();
Enter fullscreen mode Exit fullscreen mode

Top comments (0)