Sessions#

Session support in PHP consists of a way to preserve certain data across subsequent accesses such as logged in user information and security tokens.

In order to support things like testing, the session is associated with a particular Controller. In normal usage, this is loaded from and saved to the regular PHP session, but for things like static-page-generation and unit-testing, you can create multiple Controllers, each with their own session.

Getting the session instance#

If you're in a controller, the Session object will be bound to the HTTPRequest for your controller.

Copynamespace App\Control;

use SilverStripe\Control\Controller;

class MyController extends Controller
{
    public function getSession()
    {
        return $this->getRequest()->getSession();
    }
}

Otherwise, if you're not in a controller, get the request as a service.

Copyuse SilverStripe\Control\HTTPRequest;
use SilverStripe\Core\Injector\Injector;

$request = Injector::inst()->get(HTTPRequest::class);
$session = $request->getSession();

Set#

Copy$session->set('MyValue', 6);

Saves the value of to session data. You can also save arrays or serialized objects in session (but note there may be size restrictions as to how much you can save).

Copy// saves an array
$session->set('MyArrayOfValues', ['1','2','3']);

// saves an object (you'll have to unserialize it back)
$object = new Object();
$session->set('MyObject', serialize($object));

Get#

Once you have saved a value to the Session you can access it by using the get function. Like the set function you can use this anywhere in your PHP files.

Copyecho $session->get('MyValue');
// returns 6

$data = $session->get('MyArrayOfValues');
// $data = [1,2,3]

$object = unserialize($session->get('MyObject', $object));
// $object = Object()

GetAll#

You can also get all the values in the session at once. This is useful for debugging.

Copy$session->getAll();
// returns an array of all the session values.

Clear#

Once you have accessed a value from the Session it doesn't automatically wipe the value from the Session, you have to specifically remove it.

Copy$session->clear('MyValue');

Or you can clear every single value in the session at once. Note Silverstripe CMS stores some of its own session data including form and page comment information. None of this is vital but clear_all will clear everything.

Copy$session->clearAll();

Cookies#

Samesite attribute#

The session cookie is handled slightly differently than most cookies on the site, which provides the opportunity to handle the samesite attribute separately from other cookies. By default, it is set to Strict to prevent cross-site attacks.

While it's generally not recommended, if you need to change this value for a particular reason then it can be changed via YAML:

CopySilverStripe\Control\Session:
  cookie_samesite: 'Lax'

You may also need to update the cookie responsible for remembering logins across sessions:

CopySilverStripe\Core\Injector\Injector:
  SilverStripe\Security\MemberAuthenticator\CookieAuthenticationHandler:
    properties:
      TokenCookieSameSite: 'Lax'

Secure session cookie#

The session cookie settings vary slightly between HTTP and HTTPS connections. HTTPS connections automatically include the Secure attribute. This ensures that secure session cookie data is only transmitted over encrypted HTTPS connections, preventing it from being exposed during plain-text HTTP requests and enhancing overall security. This means that if you are serving your site over both HTTPS and HTTP, some functionality such as authentication may not work as expected.

Like the samesite attribute, while it's not generally recommended a secure session cookie can be disabled via YAML:

CopySilverStripe\Control\Session:
  cookie_secure: false

You may also need to update the cookie responsible for remembering logins across sessions:

CopySilverStripe\Core\Injector\Injector:
  SilverStripe\Security\MemberAuthenticator\CookieAuthenticationHandler:
    properties:
      TokenCookieSecure: false

Note that if you set cookie_samesite to None (which is strongly discouraged), the cookie_secure value will always be true.

Relaxing checks around user agent strings#

Out of the box, Silverstripe CMS will invalidate a user's session if the User-Agent header changes. This provides some supplemental protection against session high-jacking attacks.

It is possible to disable the user agent header session validation. However, it is not recommended.

To disable the user agent session check, add the following code snippet to your project's YAML configuration.

CopySilverStripe\Control\Session:
  strict_user_agent_check: false

API documentation#

• Session