We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

how to Setting up Session with database And match ip AND expiration time?

I would Create an application by Database based Session's And more options on the session:

  1. Set expiration time

  2. Force match ip

  3. Force match User-Agent

I can't find my answer at:


How to combine (join) my target settings by this settings?

$di->set('session', function() use ($config)  {
    // Create a connection
    $connection = new DbAdapter([
        'host' => $config->database->host,
        'username' => $config->database->username,
        'password' => $config->database->password,
        'dbname' => $config->database->dbname
    $session = new Database([
        'db'    => $connection,
        'table' => 'session_data'


    return $session;

You have multiple ways how to do that:

  1. Extend database session adapter and implement logic you want.
  2. Store your options in session data and validate them before registering session service.
  3. Store your options in session and make new service class or factory which will do validation and which will return session adapter.
edited Apr '16

Good luck when your database goes down on heavy concurent usage for a session storage. You should switch to Memcached as session adapter, implementing your rules on session creation there etc. I had similar requirement where database sessions were just not possibile. RDBMS just can't sustain such heavy load during peak times. With Phalcon, using libmemcached adapter everything went fine.

other very good alternative how to save sessions is in ramdisk, rdbms is definitely not optimal

edited Apr '16


I use memcached instead of database

I recently migrating from CodeIgniter to Phalcon

I will translate Phalcon Documentions To Persian For introduction it :)

Thank you!


Phalcon Incubator is not safe against session hijacking! any better solution?

@alimo2: what do you mean, some incubator part which handles session?


@alimo2: what do you mean, some incubator part which handles session?

take a look at incubator session, there is no check for hijacking! simply set session cookie in another browser & get session created by others!