Why no DI for sessions?

I think I have a fairly run of the mill application that does authentication. At the point where a user is attempting to login I need slim/csrf and slim/flash. Both of these depend on $_SESSION, but it isn’t treated as a dependency (ie: I can’t pass it in). Now, I get that it’s $_SESSION is a PHP superglobal, but it’s still a dependency the way I look at it, because the modules won’t function with out it and I have to start it.

So, right now, I being lazy and I create a session every time no matter what. I don’t like the fact that sessions are being created for anonymous users just browsing around. I’d like to be able to pass in $this->session to both (or anything else that depends on a session) and let the DI container create the session prior to entry and independent of who needs it.

What am I missing?


Well you can’t verify any login details without session, lets say that logged in user comes back to your site after couple minutes wihtout logging out, usually this user should be logged back in automatically.

Anyway, if you really need to, you are able to inject csrf and flash in middleware as well, and you can add middleware per route so this way you can handle where these services are used. But generally I don’t see any problem of creating sessions for all users if the service is mostly for logged in users only.

If you need a session manager with multiple features, try this https://github.com/adbario/slim-secure-session-middleware