Session - Jet\Session
For working with sessions it is recommended to use Jet\Session class in Jet applications. Unlike Jet\Http_Request, it does not disable access to the superglobal array. Thus, $_SESSION can still be used, but it is definitely better to unify the work with session and use this class.
Using Session
Namespace
The Jet\Session class introduces the concept of a session namespace. The idea is to reduce the chance of data collisions within a session within a large and ideally modular application.
Let's look at an example: the Auth Controller needs to have the session ID of the logged in user. For example, it calls the key "user_id". This is fine except for a rather important detail. You have not one, but maybe two auth consoles in your application. One for logging in to the administration, the other for logging in the site visitor (or e-shop customer and so on). And it is clear that the user_id in the session of one controller is completely different from the user_id in the session of the other controller.
It is therefore necessary to solve such situations somehow and isolate the individual sessions from each other - create namespaces in the session.
You might be thinking: well, yeah, but what if two components of an application use the same space and that's not the intention? That can happen. The way to prevent this is that the session namespace name should be as situation-specific as possible. For example, the auth controller for administration will use the namespace auth_admin and the auth controller for web will use auth_web. And this is already substantially less likely to collide than if "something" in the session makes the user_id key. It is therefore necessary to choose session namespaces so that it is clear what the session is associated with and why. And for example, for application modules, it is suggested to use the module name for the session namespace name, and so on.
Writing and Reading
To work with the session it is necessary to create an instance of Jet\Session. The only parameter is the name of the session namespace.
The session is then written as follows:
$session = new Session('my-namespace');
$session->setValue('my-value', $some_value);
Reading from a session is done as follows:
$session = new Session('my-namespace');
$some_value = $session->getValue('my-value', 'default-value');
Unlike Jet\Http_Request, Session doesn't do any type checking and so on. This is because within a session you are not supposed to work with user input, or more precisely, certainly not with unvalidated and unvalidated user input. Working with a session is low-level enough that you can expect to work with trusted data. For example, you certainly don't enter the ID of a logged-in user into a session unless you are sure that the user is really logged in and the ID is valid. And if someone wants to write something unvalidated to the session, even holy water won't help, let alone a data type check.
Session validation
Jet session allows you to insert a session validator. In practice it is simple. For example, somewhere in the application initialization you can do the following:
Session::setSessionValidator(function() : bool {
if(empty($_SESSION['client_ip'])) {
$_SESSION['client_ip'] = Http_Request::clientIP();
return true;
}
if($_SESSION['client_ip'] != Http_Request::clientIP()) {
return false;
}
// ... check something ...
return true;
});
Then insert any logic that helps validate the session and is called immediately after the session is started (after calling session_start() ).
This anonymous function must return bool and if it returns false, then the session is invalidated.
Jet does not contain any predefined validators. It is desirable that each application ideally chooses its own session validation mechanism (if you use session validation).
Overview of Jet\Session class methods
General methods for working with sessions
| Method | Meaning of |
|---|---|
| public static setSessionValidator( callable $session_validator ): void |
Sets the session validator. |
| public static getSessionValidator( ): callable |
Returns the session validator. |
| public static regenerateId( ): void |
Force the session ID re-generation. |
| public static destroy( ): void |
Invalidate the session. |
| public static getSessionId( ): string |
Returns the session ID. |
Methods for working with the session namespace
| Method | Meaning of |
|---|---|
| public __construct( string $namespace ) |
The name of the session namespace must be a parameter of the constructor. |
| public getNamespace( ): null|string |
Returns the name of the session namespace of the instance. |
| public setValue( string $key, mixed $value ): void |
Sets the data value in the named session. |
| public unsetValue( string $key ): void |
Removes a value from the session namespace. |
| public getValueExists( string $key ): bool |
Verifies that the value exists. |
| public getValue( string $key, mixed $default_value = null ): mixed |
Returns the value and if it has not been set yet, then returns the default value. |
| public reset( ): void |
Resets the given namespace (but only the given namespace - not the entire session). That is, it removes all relevant values from the session. |