php - My Laravel 5.2.10 Sessions wont persist

Question

I have a brand new installation of Laravel 5, in fact I have tried this on multiple versions and keep hitting the same issue.

I have not changed anything from the default except setting the session driver to redis. (File based also has the same issue).

I have two routes set as follows

Route::get('/set/{value}', function($value) {
    var_dump(Session::getId());
    Session::set('test', $value);
    return view('welcome');
});

Route::get('/get', function() {
    return 'Get ' . Session::get('test');
});

If I visit the url /set/abc I see the session appear in REDIS (I also see the file created when using file based). The session looks fine in REDIS as shown below

127.0.0.1:6379> KEYS *
 1) "laravel:1a3ae6caff6346e4a173fdc1ab4c6eb0f138806b"
 2) "laravel:fed1af2fb44c6e625953237c3fa6fcbb05366a5c"
 3) "laravel:cb37286ccfe3e7caa20557aca840f50cb5a5f20d"

Every time I visit the page though, it recreates a new session.

The key parts of session.php file is as follows:

'lifetime' => 120,

'expire_on_close' => false,

I have also checked in REDIS the TTL of the session variables and they do get initialised at 120 minutes (equivalent in seconds).

Any idea what I am doing wrong?

It might be worth noting I am using a homestead vm (completely stock) to test this. I have also tried using multiple browsers. No cookies are ever sent to the browser, I presume a session id should be sent to the browser as part of the initial get request?

Answer 1

Laravel's middleware class IlluminateSessionMiddlewareStartSession is responsible for starting your session. Before L5.2, this ran on every request because it was part of the global middleware stack. Now, it's optional because L5.2 wants to allow for both a web UI and an API within the same application.

If you open up app/Http/Kernel.php, you'll see that the StartSession middleware is part of a middleware group called web. You need to put all your routes inside there for your example to work.

Route::group(['middleware' => ['web']], function () {
    Route::get('/set/{value}', function($value) {
        var_dump(Session::getId());
        Session::set('test', $value);
        return view('welcome');
    });

    Route::get('/get', function() {
        return 'Get ' . Session::get('test');
    });
});

You can see that the web middleware group is also responsible for other things like providing the $errors variable on all views.

You can read more about it in the docs:

By default, the routes.php file contains a single route as well as a route group that applies the web middleware group to all routes it contains. This middleware group provides session state and CSRF protection to routes.

Any routes not placed within the web middleware group will not have access to sessions and CSRF protection, so make sure any routes that need these features are placed within the group. Typically, you will place most of your routes within this group:

Source: https://laravel.com/docs/5.2/routing