Brain offers a session class for database sessions, and made primarily for use with Brain’s Auth. While you can add, view, and remove data from the session, it’s primary goal is to keep user authentication as secure as possible. This doesn’t happen with cookie based sessions unless you track the session ID in the database, and if you’re going to do that, then why not use database sessions?

The session class analyzes the current URI scheme and cookie_secure setting to determine if it should set a cookie for SSL encrypted requests, or another for non-SSL encrypted requests. Again, with security at the focus of the class, we want to ensure that cookies used for SSL encrypted requests are not available for non-SSL encrypted requests. You can force the sessions class to use a single cookie, and let it be available everywhere, but please do this at your own risk.

All session data is encrypted. All session IDs stored in the cookies are encrypted. Even if a person can view the contents of the cookie, there is not much of a chance they could alter it in a meaningful way.

Multiple sessions can be attached to an Auth user. By default this is turned off, but if you turn it on your user will be able to log in from multiple devices. Provided that you allow for persistent cookies, or have set their expiration out pretty far in the future, your users will enjoy a secure session.


General session configuration is done in config/session.php. There you are able to set the session expiration, cookie params, refresh rate, and more. Any class property can be set here. Have a look at the top of Session.php to see what damage you can do!

// Set config in config/session.php
$cfg['session_config'] = [
  // 12 Mins (set to zero to drop @ browser close, FALSE for long range persistent session)
  'secs_expire'            => 720,
  // Force IPs to match or no?
  'enforce_ip_match'       => FALSE,
  // Force user agent match or no?
  'enforce_ua_match'       => TRUE,
  // Cookie secure or not?
  'cookie_secure'          => TRUE,
  // Multiple user sessions?
  'multiple_user_sessions' => TRUE,
  // How often should the session be regenerated?
  'session_refresh'        => 180


// Get the session instance to work with
$session = $this->container['session'];

// Add something to the session
$session->set_sessdata('something', 'nice');

// Get something from the session
$value = $session->sessdata('something');

// Add a flash token
$session->set_flashdata('dummy', 'yup');

// Get the value of the flash token
$value = $session->flashdata('dummy');

// Keep flash data for another request

// Kill the session