Session key being set even for unlogged visits? (Redis session driver)
I've just been playing about with adding a separate redis instance to store sessions, and found that a key is set as a result even of an unlogged visit.
This conflicts with my understanding of what sessions are supposed to be. Can someone explain? Or point to source which would explain this?
If by "unlogged visit" you mean they weren't logged in (just an anonymous visitor to the site) then it's normal. This is just how php sessions work (including Laravel).
You can use sessions for non-logged in users. For instance, the session is where the csrf token is stored. How would a non-logged in user fill out a form with csrf protection if there wasn't some sort of session? The session also stores the last url that they were on, so you can redirect()->back(), etc.
It does this for all session types, including the file session driver.
So, if I understand correctly, session only needs an extant client (e.g. a browser), not a logged state. A logged user just means to add authentication on top. And even if a user is "anonymous", we can still track the same visitor's visit to several pages on our site.
So I could just go ahead and use Session:: on public pages that did not assume any Auth::.
Cool... I think there's lots I could potentially do with that.
