Skip to main content

Overview

Sessions provide a way to store information about the user across multiple requests. Laravel supports various session backends through a unified API, configured in config/session.php.

Default Session Driver

.env
SESSION_DRIVER=database
SESSION_LIFETIME=120
config/session.php
'driver' => env('SESSION_DRIVER', 'database'),
'lifetime' => (int) env('SESSION_LIFETIME', 120),

Available Session Drivers

Laravel supports these session drivers:
  • file - File-based sessions in storage/framework/sessions
  • cookie - Encrypted cookie storage
  • database - Database table storage
  • memcached - Memcached server
  • redis - Redis server
  • dynamodb - Amazon DynamoDB
  • array - In-memory storage (testing only)

File Driver

Stores sessions as files on disk.
.env
SESSION_DRIVER=file
config/session.php
'driver' => 'file',
'files' => storage_path('framework/sessions'),
Ensure the storage/framework/sessions directory is writable by the web server.
Stores encrypted session data in cookies.
.env
SESSION_DRIVER=cookie
Cookies are limited to 4KB. Use this driver only for small session data.

Database Driver

Stores sessions in a database table. Recommended for most applications.

Environment Variables

.env
SESSION_DRIVER=database
SESSION_CONNECTION=
SESSION_TABLE=sessions

Configuration

config/session.php
'driver' => 'database',
'connection' => env('SESSION_CONNECTION'),
'table' => env('SESSION_TABLE', 'sessions'),

Setup

Create the sessions table: 
php artisan migrate
The sessions table migration is included by default at: database/migrations/0001_01_01_000000_create_users_table.php
The database driver provides better scalability than file-based sessions for multi-server setups.

Redis Driver

Uses Redis for high-performance session storage.
.env
SESSION_DRIVER=redis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
config/session.php
'driver' => 'redis',
'connection' => env('SESSION_CONNECTION'),
Redis is ideal for applications with high traffic and multiple servers.

Memcached Driver

Uses Memcached for distributed session storage.
.env
SESSION_DRIVER=memcached
MEMCACHED_HOST=127.0.0.1
MEMCACHED_PORT=11211

DynamoDB Driver

Uses Amazon DynamoDB for cloud-based session storage.
.env
SESSION_DRIVER=dynamodb
AWS_ACCESS_KEY_ID=your-key
AWS_SECRET_ACCESS_KEY=your-secret
AWS_DEFAULT_REGION=us-east-1

Session Lifetime

Control how long sessions remain valid:
.env
SESSION_LIFETIME=120
SESSION_EXPIRE_ON_CLOSE=false
config/session.php
'lifetime' => (int) env('SESSION_LIFETIME', 120),
'expire_on_close' => env('SESSION_EXPIRE_ON_CLOSE', false),
Number of minutes before the session expires due to inactivity.Default: 120 minutes (2 hours)
When true, sessions expire when the browser closes.Default: false
This behavior depends on browser implementation and may not work reliably.

Session Encryption

Encrypt all session data before storage:
.env
SESSION_ENCRYPT=false
config/session.php
'encrypt' => env('SESSION_ENCRYPT', false),
The cookie driver always encrypts data. Other drivers only encrypt if this option is enabled.

Session Sweeping

Automatically clean up old sessions:
config/session.php
'lottery' => [2, 100],
This configuration means there’s a 2 in 100 chance (2%) that old sessions will be garbage collected on each request.
Lower the probability for high-traffic applications to reduce overhead.
Control session cookie behavior:
.env
SESSION_COOKIE=laravel-session
config/session.php
'cookie' => env(
    'SESSION_COOKIE',
    Str::slug((string) env('APP_NAME', 'laravel')).'-session'
),
.env
SESSION_PATH=/
SESSION_DOMAIN=null
config/session.php
'path' => env('SESSION_PATH', '/'),
'domain' => env('SESSION_DOMAIN'),

Security Options

.env
SESSION_SECURE_COOKIE=null
SESSION_HTTP_ONLY=true
SESSION_SAME_SITE=lax
SESSION_PARTITIONED_COOKIE=false
config/session.php
'secure' => env('SESSION_SECURE_COOKIE'),
'http_only' => env('SESSION_HTTP_ONLY', true),
'same_site' => env('SESSION_SAME_SITE', 'lax'),
'partitioned' => env('SESSION_PARTITIONED_COOKIE', false),
Only send cookies over HTTPS connections.Recommended: true in production
Prevent JavaScript access to the cookie.Recommended: true (prevents XSS attacks)
Control cross-site request behavior.Options: lax, strict, none, nullDefault: lax (good balance of security and usability)
Enable partitioned cookies for cross-site contexts.Default: false
Requires secure to be true and same_site to be none

Using Sessions

Storing Data

use Illuminate\Support\Facades\Session;

// Via session helper
session(['key' => 'value']);

// Via facade
Session::put('key', 'value');

// Via request
$request->session()->put('key', 'value');

Retrieving Data

// Via helper
$value = session('key');
$value = session('key', 'default');

// Via facade
$value = Session::get('key');
$value = Session::get('key', 'default');

// Via request
$value = $request->session()->get('key');

Flash Data

Store data for the next request only: 
$request->session()->flash('status', 'Task completed!');

// Retrieve flash data
$status = session('status');

Deleting Data

// Forget specific key
session()->forget('key');

// Clear all session data
session()->flush();

// Regenerate session ID
session()->regenerate();

Session Cache Store

For cache-driven session backends:
.env
SESSION_STORE=
config/session.php
'store' => env('SESSION_STORE'),
Applies to dynamodb, memcached, and redis drivers. Must match a defined cache store.

Best Practices

1

Use database or Redis in production

File and cookie drivers don’t scale well across multiple servers.
2

Enable secure cookies in production

Set SESSION_SECURE_COOKIE=true when using HTTPS.
3

Keep http_only enabled

Prevents XSS attacks from stealing session data.
4

Regenerate session IDs after login

Prevents session fixation attacks.
$request->session()->regenerate();
5

Set appropriate lifetime

Balance security with user experience. Shorter is more secure.

Artisan Commands

# Clear session data
php artisan session:clear

# Create sessions table migration
php artisan session:table

Next Steps

Queue Configuration

Configure background job processing

Cache Configuration

Set up application caching

Build docs developers (and LLMs) love

Get started for freeTalk to us