Sessions

Session cookies are signed with HMAC-SHA256 to prevent session fixation attacks. Over TLS (or when setForceSecureCookies(1) is set), the cookie name changes to __Host-BOLTSESSION with the Secure flag. Calling clearSession() also expires the cookie on the client side.

$bolt.setSession(cKey, cValue)

Set session value.

$bolt.setSession("user_id", "123")
$bolt.setSession("role", "admin")

$bolt.getSession(cKey)

Get session value.

userId = $bolt.getSession("user_id")

$bolt.deleteSession(cKey)

Delete session key.

$bolt.deleteSession("user_id")

$bolt.clearSession()

Clear all session data.

$bolt.clearSession()

$bolt.regenerateSession()

Regenerate session ID, migrate data, and invalidate the old session. Prevents session fixation attacks. Call after login or privilege escalation.

$bolt.regenerateSession()

$bolt.setFlash(cKey, cValue)

Set flash message (one-time session data).

$bolt.setFlash("success", "User created!")

$bolt.getFlash(cKey)

Get and clear flash message.

msg = $bolt.getFlash("success")

$bolt.hasFlash(cKey)

Check if flash message exists.

if $bolt.hasFlash("error")
    # ...
ok

Cookies File Uploads