Sessions
Symfony provides a session object and several utilities that you can use tostore information about the user between requests.
Configuration
Sessions are provided by the HttpFoundation component, which is included inall Symfony applications, no matter how you installed it. Before using thesessions, check their default configuration:
- YAML
- # config/packages/framework.yaml
- framework:
- session:
- # enables the support of sessions in the app
- enabled: true
- # ID of the service used for session storage.
- # NULL = means that PHP's default session mechanism is used
- handler_id: null
- # improves the security of the cookies used for sessions
- cookie_secure: 'auto'
- cookie_samesite: 'lax'
- XML
- <!-- config/packages/framework.xml -->
- <?xml version="1.0" encoding="UTF-8" ?>
- <container xmlns="http://symfony.com/schema/dic/services"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:framework="http://symfony.com/schema/dic/symfony"
- xsi:schemaLocation="http://symfony.com/schema/dic/services
- https://symfony.com/schema/dic/services/services-1.0.xsd
- http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
- <framework:config>
- <!--
- enabled: enables the support of sessions in the app
- handler-id: ID of the service used for session storage
- NULL means that PHP's default session mechanism is used
- cookie-secure and cookie-samesite: improves the security of the cookies used for sessions
- -->
- <framework:session enabled="true"
- handler-id="null"
- cookie-secure="auto"
- cookie-samesite="lax"/>
- </framework:config>
- </container>
- PHP
- // config/packages/framework.php
- $container->loadFromExtension('framework', [
- 'session' => [
- // enables the support of sessions in the app
- 'enabled' => true,
- // ID of the service used for session storage
- // NULL means that PHP's default session mechanism is used
- 'handler_id' => null,
- // improves the security of the cookies used for sessions
- 'cookie_secure' => 'auto',
- 'cookie_samesite' => 'lax',
- ],
- ]);
Setting the handler_id
config option to null
means that Symfony willuse the native PHP session mechanism. The session metadata files will be storedoutside of the Symfony application, in a directory controlled by PHP. Althoughthis usually simplify things, some session expiration related options may notwork as expected if other applications that write to the same directory haveshort max lifetime settings.
If you prefer, you can use the session.handler.native_file
service ashandler_id
to let Symfony manage the sessions itself. Another useful optionis save_path
, which defines the directory where Symfony will store thesession metadata files:
- YAML
- # config/packages/framework.yaml
- framework:
- session:
- # ...
- handler_id: 'session.handler.native_file'
- save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%'
- XML
- <!-- config/packages/framework.xml -->
- <?xml version="1.0" encoding="UTF-8" ?>
- <container xmlns="http://symfony.com/schema/dic/services"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:framework="http://symfony.com/schema/dic/symfony"
- xsi:schemaLocation="http://symfony.com/schema/dic/services
- https://symfony.com/schema/dic/services/services-1.0.xsd
- http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
- <framework:config>
- <framework:session enabled="true"
- handler-id="session.handler.native_file"
- save-path="%kernel.project_dir%/var/sessions/%kernel.environment%"/>
- </framework:config>
- </container>
- PHP
- // config/packages/framework.php
- $container->loadFromExtension('framework', [
- 'session' => [
- // ...
- 'handler_id' => 'session.handler.native_file',
- 'save_path' => '%kernel.project_dir%/var/sessions/%kernel.environment%',
- ],
- ]);
Check out the Symfony config reference to learn more about the other availableSession configuration options. Also, if youprefer to store session metadata in a database instead of the filesystem,check out this article: How to Use PdoSessionHandler to Store Sessions in the Database.
Basic Usage
Symfony provides a session service that is injected in your services andcontrollers if you type-hint an argument withSessionInterface
:
- use Symfony\Component\HttpFoundation\Session\SessionInterface;
- class SomeService
- {
- private $session;
- public function __construct(SessionInterface $session)
- {
- $this->session = $session;
- }
- public function someMethod()
- {
- // stores an attribute in the session for later reuse
- $this->session->set('attribute-name', 'attribute-value');
- // gets an attribute by name
- $foo = $this->session->get('foo');
- // the second argument is the value returned when the attribute doesn't exist
- $filters = $this->session->get('filters', []);
- // ...
- }
- }
Tip
Every SessionInterface
implementation is supported. If you have yourown implementation, type-hint this in the argument instead.
Stored attributes remain in the session for the remainder of that user's session.By default, session attributes are key-value pairs managed with theAttributeBag
class.
If your application needs are complex, you may prefer to usenamespaced session attributes which are managed with theNamespacedAttributeBag
class. Before using them, override the session
service definition to replacethe default AttributeBag
by the NamespacedAttributeBag
:
- YAML
- # config/services.yaml
- session:
- public: true
- class: Symfony\Component\HttpFoundation\Session\Session
- arguments: ['@session.storage', '@session.namespacedattributebag', '@session.flash_bag']
- session.namespacedattributebag:
- class: Symfony\Component\HttpFoundation\Session\Attribute\NamespacedAttributeBag
Avoid Starting Sessions for Anonymous Users
Sessions are automatically started whenever you read, write or even check forthe existence of data in the session. This may hurt your application performancebecause all users will receive a session cookie. In order to prevent that, youmust completely avoid accessing the session.
For example, if your templates include some code to display theflash messages, sessions will start even if the useris not logged in and even if you haven't created any flash messages. To avoidthis behavior, add a check before trying to access the flash messages:
- {# this check prevents starting a session when there are no flash messages #}
- {% if app.request.hasPreviousSession %}
- {% for message in app.flashes('notice') %}
- <div class="flash-notice">
- {{ message }}
- </div>
- {% endfor %}
- {% endif %}