Session

Pair framework: Session

Pair\Models\Session is the ActiveRecord model for persisted user sessions.

It also provides static helpers for PHP session values.

Pair v4 configures native PHP sessions with an app-scoped cookie name derived from APP_NAME, rather than relying on the shared PHPSESSID default. This prevents local applications on the same host from reading or overwriting each other's PHP session cookie.

Main methods

Session lifecycle

• current(): ?Session
• destroy(): void
• extendTimeout()
• isExpired(int $sessionTime): bool
• cleanOlderThan(int $sessionTime): void

User binding

• getUser(): ?User
• setUser(User $user): void
• getFormerUser(): ?User
• setFormerUser(User $formerUser)
• hasFormerUser(): bool

PHP $_SESSION helpers

• get(string $key): mixed
• set(string $key, mixed $value): void
• has(string $key): bool
• unset(string $key): void

Native PHP session cookie

Before Pair starts a PHP session, Application::configureNativeSessionCookie() sets:

• an app-specific cookie name such as PairApplicationSession
• a cookie path derived from URL_PATH
• SameSite=Lax
• HttpOnly=true
• secure=true on HTTPS or trusted proxy HTTPS requests

Session::destroy() uses the same cookie name and path when deleting the browser cookie.

After upgrading to this behavior, existing PHPSESSID browser sessions are not reused. Users may need to log in once per application.

Implementation examples

$session = \Pair\Models\Session::current();

if ($session && $session->isExpired(60)) {
    \Pair\Models\Session::destroy();
}

Set/get session data:

\Pair\Models\Session::set('csrf', $token);
$csrf = \Pair\Models\Session::get('csrf');

See also: User, Application, Configuration-file.