15.3. Session Manager
ZF3 provides a special service called SessionManager which belongs to Zend\Session namespace. This service
is a usual ZF3 service and is automatically registered in service manager. You can get an instance of the SessionManager
service in a factory class with the following code:
// Use alias for the SessionManager class.
use Zend\Session\SessionManager;
// Retrieve an instance of the session manager from the service manager.
$sessionManager = $container->get(SessionManager::class);
So, what does the SessionManager do? Actually, it does everything for session to run.
The summary of its most useful methods is provided in the table 15.1 below:
| Method | Description |
|---|---|
sessionExists() |
Checks whether session exists and currently active. |
start($preserveStorage = false) |
Starts the session (if not started yet). |
destroy(array $options = null) |
Ends the session. |
getId() |
Returns session ID. |
setId() |
Sets session ID. |
regenerateId() |
Regenerates the session ID. |
getName() |
Returns session name. |
setName() |
Overrides the default session name from php.ini. |
rememberMe($ttl = null) |
Sets session cookie lifetime (in seconds). |
forgetMe() |
Set a zero lifetime for the session cookie (the cookie will expire when browser is closed). |
expireSessionCookie() |
Expires the session cookie immediately. |
isValid() |
Executes session validators. |
As you can see from the table above, the SessionManager can start the session and end it, check if session exists, and set session parameters
(such as cookie expiration). It also provides a validator chain that may contain session validators (those
validators allow to prevent hacker attacks on session data).
15.3.1. Providing Session Configuration
The SessionManager class on initialization reads the application configuration,
so you can set up the session parameters conveniently. To do that, modify your APP_DIR/config/autoload/global.php
as follows:
<?php
use Zend\Session\Storage\SessionArrayStorage;
use Zend\Session\Validator\RemoteAddr;
use Zend\Session\Validator\HttpUserAgent;
return [
// Session configuration.
'session_config' => [
// Session cookie will expire in 1 hour.
'cookie_lifetime' => 60*60*1,
// Session data will be stored on server maximum for 30 days.
'gc_maxlifetime' => 60*60*24*30,
],
// Session manager configuration.
'session_manager' => [
// Session validators (used for security).
'validators' => [
RemoteAddr::class,
HttpUserAgent::class,
]
],
// Session storage configuration.
'session_storage' => [
'type' => SessionArrayStorage::class
],
// ...
];
We modify
global.phpfile here, because sessions may be used by any module in your website and do not depend on environment.
As you can see, the session configuration is stored under three keys:
The
session_configkey allows to define how long the session cookie will live and how long the PHP engine will store your session data on server. Actually, this key may contain additional session options, but we omit them for simplicity (if you'd like to override those advanced options, please refer to Zend Framework documentation).The
session_managerkey allows to set session validators. These are used to enhance the security. It is recommended that you always specify these validators here.The
session_storagekey allows to specify the session storage class. We use theSessionArrayStorageclass, which is the default storage and is sufficient for the most cases.
15.3.2. Making the Session Manager the Default One
In ZF3, many components use the session manager implicitly (for example, FlashMessenger controller plugin and view helper
uses session to save messages between HTTP requests). To let such components use the session manager you just configured, you'll have to make it
"the default one" by instantiating it as early as possible. For example, you can instantiate the session manager in your
module's onBootstrap() method, as follows:
<?php
namespace Application;
use Zend\Mvc\MvcEvent;
use Zend\Session\SessionManager;
class Module
{
//...
/**
* This method is called once the MVC bootstrapping is complete.
*/
public function onBootstrap(MvcEvent $event)
{
$application = $event->getApplication();
$serviceManager = $application->getServiceManager();
// The following line instantiates the SessionManager and automatically
// makes the SessionManager the 'default' one.
$sessionManager = $serviceManager->get(SessionManager::class);
}
}
Making the session manager the default one is very important, because otherwise you'll have to explicitly pass it to every component depending on the session manager, which is rather boring.