Session Configuration
Cookies and lifetime.
config/session.php controls PHP session behavior.
Keys #
| Key | Env Variable | Default | Description |
|---|---|---|---|
session.driver |
- | file |
Session driver (PHP native) |
session.lifetime |
SESSION_LIFETIME |
7200 |
Lifetime in seconds (2 hours) |
session.name |
SESSION_COOKIE |
velvet_session |
Cookie name |
session.http_only |
- | true |
Prevents JavaScript access (XSS protection) |
session.secure |
SESSION_SECURE_COOKIE |
null |
HTTPS-only cookies (true, false, or auto) |
session.same_site |
- | Lax |
SameSite attribute (Lax, Strict, None) |
Optional keys #
These are read by StartSessionMiddleware even if not present in the default config file:
| Key | Description |
|---|---|
session.strict_mode |
Enable PHP strict mode |
session.use_only_cookies |
Disable URL-based session IDs |
session.path |
Cookie path override |
session.domain |
Cookie domain override |
Tenancy #
If tenancy uses the path resolver and session.path is not set, the cookie path is automatically scoped to the tenant prefix.