PHPackages bolt/session - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. bolt/session ActiveLibrary[HTTP & Networking](/categories/http) bolt/session ============ PHP session storage for Symfony's HTTP layer v1.1.1(8y ago)8103.0k↓19%21MITPHPPHP ^5.5 || ^7.0 Since Aug 4Pushed 8y ago13 watchersCompare [ Source](https://github.com/bolt/session)[ Packagist](https://packagist.org/packages/bolt/session)[ RSS](/packages/bolt-session/feed)WikiDiscussions 1.1 Synced 1mo ago READMEChangelog (3)Dependencies (17)Versions (6)Used By (1) Bolt Session ============ [](#bolt-session) PHP session handler built on Symfony components and supporting Silex v1 & v2. Supports session storage with: - Doctrine cache - Symfony Filesystem - Bolt Filesystem - Memcache - Memcached - PSR-6 Cache - PSR-16 Simple Cache - Redis Service Providers ----------------- [](#service-providers) ### Silex 1 [](#silex-1) ``` use Bolt\Session\Bridge\Silex1\SessionServiceProvider; use Silex\Application; $app = new Applicaiton(); $app->register(new SessionServiceProvider()); ``` ### Silex 2 [](#silex-2) ``` use Bolt\Session\Bridge\Silex2\SessionServiceProvider; use Silex\Application; $app = new Applicaiton(); $app->register(new SessionServiceProvider()); ``` Browser cookies --------------- [](#browser-cookies) By default, Bolt will inherit the settings `cookies_lifetime`, `cookies_domain`, and `enforce_ssl` (for `cookie_secure`) should no override options be set, as per the order of precedence explained in the introduction. However, there are several override settings available, should you need more fine-grained control. ### Life time [](#life-time) Time in seconds, that a cookie will be valid for. Setting this value to 0 means "until the browser is closed". KeyDefault`cookie_lifetime`1209600Integer >= 0In `.php.ini` this setting is [`session.cookie_lifetime`](http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime). ### Base URI path [](#base-uri-path) Specifies URI path to set in the session cookie. KeyDefault`cookie_path``/`URI stringIn `.php.ini` this setting is [`session.cookie_path`](http://php.net/manual/en/session.configuration.php#ini.session.cookie-path). ### Override domain name [](#override-domain-name) Specifies the domain to set in the session cookie. Default is null, meaning the host name of the server which generated the cookie. KeyDefault`cookie_domain`HTTP(S) request host nameA fully qualified domain nameIn `.php.ini` this setting is [`session.cookie_domain`](http://php.net/manual/en/session.configuration.php#ini.session.cookie-domain). ### Enforce HTTPS requests [](#enforce-https-requests) Setting this to `true` will enforce a HTTPS connection requirement to set, and use, the session cookie. KeyDefault`cookie_secure``false`Boolean on/off toggleIn `.php.ini` this setting is [`session.cookie_secure`](http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure). ### Restricting request to the HTTP protocol [](#restricting-request-to-the-http-protocol) Marks the cookie as accessible only through the HTTP *protocol*, blocking access to requests by things such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks, although browser support may vary. KeyDefault`cookie_httponly``true`Boolean on/off toggleSetting in your `config.yml`: In `.php.ini` this setting is [`session.cookie_httponly`](http://php.net/manual/en/session.configuration.php#ini.session.cookie-httponly). Session ID generation --------------------- [](#session-id-generation) Session IDs are randomly generated to uniquely identify a user's session. Bolt internally handles this generation in a fashion close to how PHP 7.1+ now does to better ensure the uniqueness of the generated ID. By default, both PHP & Bolt use an ID length of 32, which should provide only a small chance of collisions, or predictability, of the generated ID. On hosts with a consistent amount of available CPU resources, and a focus on security, you should consider a number of 48 or greater. However, this will increase the server load, and amount of time taken to generate session IDs. An example of generating 1,000 session IDs on PHP 7.0 and an Intel i5-5200: ID lengthmilliseconds320.002059480.002560640.0030311280.0030162560.004132Maximum value supported is 256. KeyDefault`sid_length`32Integer between 32 & 256In PHP 7.1+ the `.php.ini` this setting is [`session.sid_length`](http://php.net/manual/en/session.configuration.php#ini.session.sid-length). Session storage handler ----------------------- [](#session-storage-handler) Session storage handling, by default, is our filesystem layer. However, we also support Redis & Memcached for more advanced use-cases. KeyDefault`save_handler``filesystem``filesystem`, `redis`, `memcached`Setting in your `config.yml`: In `.php.ini` this setting is [`session.save_handler`](http://php.net/manual/en/session.configuration.php#ini.session.save-handler). **Note:** Some web hosting providers may implement alternative session handling that is not compatible with Bolt Session. Should you encounter exceptions from `SessionServiceProvider` indicating problems with PHP's system save path, set `save_handler: filesystem`, and the `save_path` option shown below. ### Using the Redis handler [](#using-the-redis-handler) When using Redis as the handler, the following options are also under the `connections` subkey, of the session options: KeyDefault`host``localhost`Host name or I.P. address of Redis server`port`6379TCP port of Redis server`timeout`0.0A float value in seconds (0.0 meanings unlimited)`persistent``null`Boolean to toggle persistent connections`password``null`(optional) Authenticate the connection using a password. **Warning:** The password is sent in plain-text over the network.`prefix``null`(optional) Prefix string used on all keys`database``null`Integer of the database index to connect toIf the native `\Redis` library is available, it will be used as the handler for Redis, if not available, it will instead check for the PHP implementation of the native library, `\Predis\Client` and use that. ### Using the Memcached handler [](#using-the-memcached-handler) When using Memcached as the handler, the following options are also under the `connections` subkey, of the session options: KeyDefault`host``localhost`String host name or I.P. address of Memcached server`port`11211TCP port of Memcached server`weight`0(optional) The weight of the server relative to the total weight of all the servers in the pool. This controls the probability of the server being selected for operations.`expiretime`86400(optional) Life time in seconds of stored keys`prefix``sf2s`(optional) Prefix string used on all keysSaved session file path ----------------------- [](#saved-session-file-path) Session data is cached in between requests, and **is not** cleared by the normal cache clearing functionality. Instead, it uses garbage collection to manage deletion of expired sessions. See the section below on garbage collection for details on configuration. KeyDefault`save_path``cache://.sessions`Path passed to the `save_handler`**Note:** Manually deleting session data on a live server is **never advised**. Should this ever be required on a live server, ensure all users are logged off, and place the site into maintenance mode first. In `.php.ini` this setting is [`session.save_path`](http://php.net/manual/en/session.configuration.php#ini.session.save-path). ### Using the Filesystem handler [](#using-the-filesystem-handler) When using the default filesystem handler, the `save_path` parameter needs to be in the form of `{mount point}://{path}`. See the [Overview of Bolt's Filesystem](https://docs.bolt.cm/extensions/filesystem/introduction) page for details on the mount points available in Bolt. **Warning:** If you set this to a world-readable directory, such as `/tmp`, other users on the server may be able to hijack sessions, or extract potentially sensitive data. ### Using the Redis handler [](#using-the-redis-handler-1) When using Redis as the handler, `save_path` should be defined in the format `tcp://IPADDRESS:PORT`, with a default of `tcp://127.0.0.1:6379`. ### Using the Memcached handler [](#using-the-memcached-handler-1) When using Memcached as the handler, `save_path` should be defined in the format `IPADDRESS:PORT`, with a default of `127.0.0.1:11211`. Garbage collection ------------------ [](#garbage-collection) Session garbage collection is the removal of sessions older than the configured maximum life time. The need to perform garbage collection is determined based on a random probability calculation during the initialisation of each session. ### Maximum life time [](#maximum-life-time) The maximum life time setting specifies the number of seconds after which session data will be seen as 'garbage' and potentially cleaned up. KeyDefault`gc_maxlifetime`1209600Integer of secondsIn `.php.ini` this setting is [`session.gc_maxlifetime`](http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime). ### Probability & divisor [](#probability--divisor) The setting `gc_divisor` coupled with `gc_probability` define the probability that the garbage collection (GC) process is performed. In Bolt's session storage handler, the probability is calculated by generating a random number between 0 and `gc_divisor`. If the value of `gc_probability` is greater than the random number, garbage collection will be performed, and session files older than the maximum configured life time are removed. **Note:** To disable garbage collection, set `gc_probability` to `-1`. KeyDefault`gc_probability`1Integer`gc_divisor`1000IntegerIn `.php.ini` these settings are: - [`session.gc_probability`](http://php.net/manual/en/session.configuration.php#ini.session.gc-probability) - [`session.gc_divisor`](http://php.net/manual/en/session.configuration.php#ini.session.gc-divisor) --- ### Health Score 38 — LowBetter than 85% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity36 Limited adoption so far Community24 Small or concentrated contributor base Maturity62 Established project with proven stability Bus Factor1 Top contributor holds 59.5% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~51 days Total 5 Last Release 3005d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/a15c90b32e75c27fc63f79357a914b4caa7af5fdb69a2e150341515ddececf95?d=identicon)[Macintosh\_plus](/maintainers/Macintosh_plus) ![](https://avatars.githubusercontent.com/u/1835343?v=4)[Bob van de Vijver](/maintainers/bobvandevijver)[@bobvandevijver](https://github.com/bobvandevijver) ![](https://avatars.githubusercontent.com/u/3901745?v=4)[Tobias Feijten](/maintainers/tobias-93)[@tobias-93](https://github.com/tobias-93) ![](https://avatars.githubusercontent.com/u/1833361?v=4)[Bob den Otter](/maintainers/bobdenotter)[@bobdenotter](https://github.com/bobdenotter) ![](https://avatars.githubusercontent.com/u/5082?v=4)[Ross Riley](/maintainers/rossriley)[@rossriley](https://github.com/rossriley) --- Top Contributors [![CarsonF](https://avatars.githubusercontent.com/u/932566?v=4)](https://github.com/CarsonF "CarsonF (100 commits)")[![GwendolenLynch](https://avatars.githubusercontent.com/u/1427081?v=4)](https://github.com/GwendolenLynch "GwendolenLynch (60 commits)")[![dwolfhub](https://avatars.githubusercontent.com/u/3383733?v=4)](https://github.com/dwolfhub "dwolfhub (3 commits)")[![rarila](https://avatars.githubusercontent.com/u/5936174?v=4)](https://github.com/rarila "rarila (3 commits)")[![AlphaRecon19](https://avatars.githubusercontent.com/u/3878240?v=4)](https://github.com/AlphaRecon19 "AlphaRecon19 (1 commits)")[![rossriley](https://avatars.githubusercontent.com/u/5082?v=4)](https://github.com/rossriley "rossriley (1 commits)") --- Tags boltphpsession-handlersession-storesessions ### Code Quality TestsPHPUnit Code StylePHP CS Fixer ### Embed Badge ![Health badge](/badges/bolt-session/health.svg) ``` [![Health](https://phpackages.com/badges/bolt-session/health.svg)](https://phpackages.com/packages/bolt-session) ``` ### Alternatives [symfony/http-kernel Provides a structured process for converting a Request into a Response 8.1k822.4M6.8k](/packages/symfony-http-kernel)[nelmio/api-doc-bundle Generates documentation for your REST API from attributes 2.3k63.6M233](/packages/nelmio-api-doc-bundle)[api-platform/core Build a fully-featured hypermedia or GraphQL API in minutes! 2.6k48.1M236](/packages/api-platform-core)[symfony/security-bundle Provides a tight integration of the Security component into the Symfony full-stack framework 2.5k172.9M1.8k](/packages/symfony-security-bundle)[friendsofsymfony/http-cache-bundle Set path based HTTP cache headers and send invalidation requests to your HTTP cache 43813.2M47](/packages/friendsofsymfony-http-cache-bundle)[illuminate/http The Illuminate Http package. 11936.0M5.1k](/packages/illuminate-http) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)