Session Class
The Session Class manages user sessions, flash data, and security features such as session regeneration and hijacking protection. It uses PHP’s native session handling with optional custom handlers (file or database) configured via your app configuration.
This library is automatically initialized and accessible as $this->session in your controllers.
Configuration
Configure session settings in ``config/config.php``:
1<?php
2$config['sess_driver'] = 'file'; // or 'database'
3$config['sess_cookie_name'] = 'lava_session';
4$config['sess_expiration'] = 7200; // Session lifetime (seconds)
5$config['sess_time_to_update'] = 300; // Regenerate ID interval
6$config['sess_match_ip'] = FALSE;
7$config['sess_match_fingerprint'] = TRUE;
8$config['sess_regenerate_destroy'] = TRUE;
9$config['sess_expire_on_close'] = FALSE;
10
11$config['cookie_prefix'] = '';
12$config['cookie_path'] = '/';
13$config['cookie_domain'] = '';
14$config['cookie_secure'] = FALSE;
15$config['cookie_httponly'] = TRUE;
16$config['cookie_samesite'] = 'Lax';
Initialization
You do not need to load the session class manually. It is available globally as:
<?php
$this->session;
Basic Usage
Setting Session Data
<?php
// Set a single key
$this->session->set_userdata('username', 'john_doe');
// Set multiple keys
$this->session->set_userdata([
'username' => 'john_doe',
'role' => 'admin',
'logged_in' => TRUE
]);
Retrieving Session Data
<?php
// Get a specific value
echo $this->session->userdata('username');
// Get all session data
print_r($this->session->userdata());
Checking and Removing Data
<?php
if ($this->session->has_userdata('logged_in')) {
echo "User is logged in!";
}
// Remove one or more keys
$this->session->unset_userdata('username');
$this->session->unset_userdata(['username', 'role']);
Flashdata
Flashdata are session values available only for the next request. Useful for showing success/error messages after form submissions or redirects.
Setting Flashdata
<?php
$this->session->set_flashdata('message', 'Account created successfully!');
Retrieving Flashdata
<?php
echo $this->session->flashdata('message');
Preserving Flashdata for Another Request
<?php
// Keep flashdata for one more request
$this->session->keep_flashdata('message');
Mark Existing Data as Flashdata
<?php
$this->session->mark_as_flash('username');
Session Management
Regenerate Session ID
<?php
// Regenerate session ID (destroys old session if TRUE)
$this->session->sess_regenerate(TRUE);
Destroy Session
<?php
$this->session->sess_destroy();
Security Features
IP Matching: If enabled, blocks the session when the client IP changes.
Fingerprint Matching: Creates a browser fingerprint from request headers and validates it every request.
Session Regeneration: Automatically regenerates the session ID periodically to prevent session fixation attacks.
Cookie Security: Cookies are sent with
HttpOnlyandSameSiteflags to prevent theft.
Reference: Available Methods
Session Data Methods
set_userdata($key, $value = NULL)userdata($key = NULL)has_userdata($key)unset_userdata($key)
Flashdata Methods
set_flashdata($key, $value)flashdata($key = NULL)keep_flashdata($key)mark_as_flash($key)
Session Control Methods
sess_regenerate($destroy = FALSE)sess_destroy()
Example: Full Login Session Flow
1<?php
2class Auth extends Controller {
3 public function login() {
4 $username = $this->io->post('username');
5 $password = $this->io->post('password');
6
7 if ($this->user_model->validate($username, $password)) {
8 $this->session->set_userdata([
9 'username' => $username,
10 'logged_in' => TRUE
11 ]);
12 $this->session->set_flashdata('message', 'Welcome back, '.$username.'!');
13 redirect('dashboard');
14 } else {
15 $this->session->set_flashdata('error', 'Invalid credentials.');
16 redirect('login');
17 }
18 }
19
20 public function logout() {
21 $this->session->sess_destroy();
22 redirect('login');
23 }
24}
Notes
userdata()will exclude flashdata keys.flashdata()values are removed automatically after retrieval.The default session driver is file-based. Database driver is reserved for future implementation.