Session handling and GDPR

When coding for concrete5 you shouldn't use the $_SESSION super global: there's the really handy Session object.

To get this object in a controller file, you can simply write this:

$session = $this->app->make('session');

If you are not in a controller, you'll need the Application instance, for example with this code:

$app = \Concrete\Core\Support\Facade\Application::getFacadeApplication();
$session = $app->make('session');

Please note that getting the Session instance will start the session (which implies setting a cookie on the visitors web browser).

This is not a problem if you are storing a value in the session object, but this is useless if you want to read something from the session.

Since concrete5 version 8.4.0 you can use the SessionValidator service class to check if there's already an active session, so that you can get the Session instance only if it's already created:

$sessionValidator = $this->app->make(\Concrete\Core\Session\SessionValidator::class);
$session = $sessionValidator->hasActiveSession() ? $this->app->make('session') : null;

With the above code, $session will be null if there's no active session, or it will contain the Session instance otherwise.

Since concrete5 version 8.5.1 you can also use this code (with the same result):

$session = $this->app->make(\Concrete\Core\Session\SessionValidator::class)->getActiveSession();

Once you have the Session instance, you can use all the fancy Symfony methods of the Session object:

• $session->has('key')
• $session->get('key', 'defaultValue')
• $session->set('key', 'newValue')
• $session->remove('key')
• $session->all()