User session management¶
User sessions in TYPO3 are represented as User
objects. The TYPO3
authentication service chain creates or updates user sessions
when authenticating users.
The User
object contains all information regarding a users' session,
for website visitors with session data (e.g. basket for anonymous / not-logged-in users),
for frontend users as well as authenticated backend users. These are for example,
the session id, the session data, if a session was updated, if the session is anonymous,
or if it is marked as permanent and so on.
The User
object can be used to change and
retrieve information in an object-oriented way.
For creating User
-objects the User
must be used
since this manager acts as the main factory for user
sessions and therefore handles all necessary tasks like fetching, evaluating
and persisting them. Effectively encapsulating all calls to the
Session
which is used for the session backend.
Public API of UserSessionManager
¶
The User
can be retrieved using its static factory
method create
:
use TYPO3\CMS\Core\Session\UserSessionManager;
$loginType = 'BE'; // or 'FE' for frontend
$userSessionManager = UserSessionManager::create($loginType);
You can then use the User
to work
with user sessions. A couple of public methods are available:
Method | Description |
---|---|
createFromRequestOrAnonymous($request, $cookieName) | Creates and returns a session from the given request. If the given
cookie can not be obtained from the request an anonymous
session will be returned. |
createFromGlobalCookieOrAnonymous($cookieName) | Creates and returns a session from a global cookie ($_ ).
If no cookie can be found for the given name, an anonymous session
will be returned.
It is recommended to use the PSR-7-Request based method instead,
as this method is scheduled for removal in TYPO3 v13.0. |
createAnonymousSession() | Creates and returns an anonymous session object (not persisted). |
createSessionFromStorage($sessionId) | Creates and returns a new session object for a given session id. |
hasExpired($session) | Checks whether a given user session object has expired. |
willExpire($session, $gracePeriod) | Checks whether a given user session will expire within the given grace period. |
fixateAnonymousSession($session, $isPermanent) | Persists an anonymous session without a user logged in, in order to store session data between requests. |
elevateToFixatedUserSession($session, $userId, $isPermanent) | Removes existing entries, creates and returns a new user session object. See regenerateSession() below. |
regenerateSession($sessionId, $sessionRecord, $anonymous) | Regenerates the given session. This method should be used whenever a user proceeds to a higher authorization level, e.g. when an anonymous session is now authenticated. |
updateSessionTimestamp($session) | Updates the session timestamp for the given user session if the session is marked as "needs update" (which means the current timestamp is greater than "last updated + a specified gracetime"). |
isSessionPersisted($session) | Checks whether a given session is already persisted. |
removeSession($session) | Removes a given session from the session backend. |
updateSession($session) | Updates the session data + timestamp in the session backend. |
collectGarbage($garbageCollectionProbability) | Calls the session backends collect method. |
Public API of UserSession
¶
The session object created or retrieved by the User
provides the following API methods:
Method | Return type | Description |
---|---|---|
getIdentifier() | String | Returns the session id. This is the ses_ respectively the
Abstract . |
getUserId() | Int or NULL | Returns the user id the session belongs to. Can also return 0 or NULL
Which indicates an anonymous session. This is the ses_ . |
getLastUpdated() | Int | Returns the timestamp of the last session data update. This is the
ses_ . |
set($key, $value) | Void | Set or update session data value for a given key. It's also internally used
if calling Abstract . |
get($key) | Mixed | Returns the session data for the given key or NULL if the key does not
exist. It's internally used if calling
Abstract . |
getData() | Array | Returns the whole data array. |
hasData() | Bool | Checks whether the session has some data assigned. |
overrideData($data) | Void | Overrides the whole data array. Can also be used to unset the array. This
also sets the $was pointer to TRUE |
dataWasUpdated() | Bool | Checks whether the session data has been updated. |
isAnonymous() | Bool | Check if the user session is an anonymous one. This means, the session does not belong to a logged-in user. |
getIpLock() | string | Returns the ipLock state of the session |
isNew() | Bool | Checks whether the session is new. |
isPermanent() | Bool | Checks whether the session was marked as permanent on creation. |
needsUpdate() | Bool | Checks whether the session has to be updated. |
toArray() | Array | Returns the session and its data as array in the old session format. |