We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Phalcon 3.2.2 - Session->setId($string) doesn't seem to work


I've got a web app that runs on 2 domains. If user logs in on one of them, he also gets automatically logged in on the other.

To achieve this I've setup a custom session table in the database and a custom session adapter that makes use of it.

When user is logged in on domain A and then visits the domain B, the domain B receives a login token. By using this token the system has to change his current session ID on domain B to match the domain A.

This function is supposed to achieve this:

public function tokenLogin ($token = '') {

    if ($token == '') return FALSE;

    // Getting the user's logged-in session through token
    $dbSession = DBSession::findFirstByToken($token);

    if ($dbSession !== FALSE) {

        if (!is_null($dbSession->userId) && $dbSession->user !== FALSE) {

            $session = $this->getDI()->getSession();
            $session->login = TRUE;


            // Setting current session to match the logged in SSID

            $session->set('auth', TRUE);
            $session->set('userId', $dbSession->user->id);
            if ($dbSession->user->isAdmin) $session->set('isAdmin', TRUE);

            // Make a new token
            $session->set('token', md5(\Phalcon\Text::random(\Phalcon\Text::RANDOM_ALNUM, 10) . $user->email . $_SERVER['REMOTE_ADDR'] . date('YmdHis')));

            // Update login data.
            $dbSession->user->lastLoginDate = date('Y-m-d H:i:s');
            $dbSession->user->lastLoginIP = $_SERVER['REMOTE_ADDR'];

            return $dbSession->user->save();

    return FALSE;

However, with the code above the new SSID is used only from line $session->setId($dbSession->ssid); and until the code execution ends. The previous SSID somehow pops up again in all further executions.

I’ve also found out how to make it work. I have to replace $session->setId($dbSession->ssid); with session_id($dbSession->ssid); and $session->start(); with session_start();.

So my question is: What is wrong with the $session->setId() and $session->start() functions? Why won’t the SSID persist if I use them but will if I use native PHP functions?

Phalcon has its own session component. You should be using that, https://docs.phalcon.io/en/3.2/session

I dont know how you came to this complicated mess.