Repository files navigation

PHP session handler built on Symfony components and supporting Silex v1 & v2.

Supports session storage with:

• Doctrine cache
• Symfony Filesystem
• Bolt Filesystem
• Memcache
• Memcached
• PSR-6 Cache
• PSR-16 Simple Cache
• Redis

useBolt\Session\Bridge\Silex1\SessionServiceProvider;useSilex\Application;$app =newApplicaiton();$app->register(newSessionServiceProvider());

useBolt\Session\Bridge\Silex2\SessionServiceProvider;useSilex\Application;$app =newApplicaiton();$app->register(newSessionServiceProvider());

By default, Bolt will inherit the settingscookies_lifetime,cookies_domain,andenforce_ssl (forcookie_secure) should no override options be set, asper the order of precedence explained in the introduction.

However, there are several override settings available, should you need morefine-grained control.

Time in seconds, that a cookie will be valid for. Setting this value to 0 means"until the browser is closed".

In.php.ini this setting issession.cookie_lifetime.

Specifies URI path to set in the session cookie.

In.php.ini this setting issession.cookie_path.

Specifies the domain to set in the session cookie. Default is null, meaning thehost name of the server which generated the cookie.

In.php.ini this setting issession.cookie_domain.

Setting this totrue will enforce a HTTPS connection requirement to set, anduse, the session cookie.

In.php.ini this setting issession.cookie_secure.

Marks the cookie as accessible only through the HTTPprotocol, blockingaccess to requests by things such as JavaScript.

This setting can effectively help to reduce identity theft through XSS attacks,although browser support may vary.

Setting in yourconfig.yml:

In.php.ini this setting issession.cookie_httponly.

Session IDs are randomly generated to uniquely identify a user's session. Boltinternally handles this generation in a fashion close to how PHP 7.1+ now doesto better ensure the uniqueness of the generated ID.

By default, both PHP & Bolt use an ID length of 32, which should provide onlya small chance of collisions, or predictability, of the generated ID.

On hosts with a consistent amount of available CPU resources, and a focus onsecurity, you should consider a number of 48 or greater. However, this willincrease the server load, and amount of time taken to generate session IDs.

An example of generating 1,000 session IDs on PHP 7.0 and an Intel i5-5200:

Maximum value supported is 256.

In PHP 7.1+ the.php.ini this setting issession.sid_length.

Session storage handling, by default, is our filesystem layer. However, we alsosupport Redis & Memcached for more advanced use-cases.

Setting in yourconfig.yml:

In.php.ini this setting issession.save_handler.

Note: Some web hosting providers may implement alternative session handlingthat is not compatible with Bolt Session.

Should you encounter exceptions fromSessionServiceProvider indicatingproblems with PHP's system save path, setsave_handler: filesystem,and thesave_path option shown below.

When using Redis as the handler, the following options are also under theconnections subkey, of the session options:

If the native\Redis library is available, it will be used as the handler forRedis, if not available, it will instead check for the PHP implementation ofthe native library,\Predis\Client and use that.

When using Memcached as the handler, the following options are also under theconnections subkey, of the session options:

Session data is cached in between requests, andis not cleared by thenormal cache clearing functionality.

Instead, it uses garbage collection to manage deletion of expired sessions. Seethe section below on garbage collection for details on configuration.

Note: Manually deleting session data on a live server isnever advised.Should this ever be required on a live server, ensure all users are logged off,and place the site into maintenance mode first.

In.php.ini this setting issession.save_path.

When using the default filesystem handler, thesave_path parameter needs tobe in the form of{mount point}://{path}.

See theOverview of Bolt's Filesystem page for details onthe mount points available in Bolt.

Warning: If you set this to a world-readable directory, such as/tmp,other users on the server may be able to hijack sessions, or extractpotentially sensitive data.

When using Redis as the handler,save_path should be defined in the formattcp://IPADDRESS:PORT, with a default oftcp://127.0.0.1:6379.

When using Memcached as the handler,save_path should be defined in theformatIPADDRESS:PORT, with a default of127.0.0.1:11211.

Session garbage collection is the removal of sessions older than the configuredmaximum life time.

The need to perform garbage collection is determined based on a random probabilitycalculation during the initialisation of each session.

The maximum life time setting specifies the number of seconds after whichsession data will be seen as 'garbage' and potentially cleaned up.

In.php.ini this setting issession.gc_maxlifetime.

The settinggc_divisor coupled withgc_probability define the probability thatthe garbage collection (GC) process is performed.

In Bolt's session storage handler, the probability is calculated by generatinga random number between 0 andgc_divisor. If the value ofgc_probability isgreater than the random number, garbage collection will be performed, andsession files older than the maximum configured life time are removed.

Note: To disable garbage collection, setgc_probability to-1.

In.php.ini these settings are:

• session.gc_probability
• session.gc_divisor