dcro/secure-client-side-session-handler

Securely store PHP session information on the client side using cookies (session data is encrypted & compressed)

Maintainers

Details

github.com/dcro/php-secure-client-side-sessions

Source

Issues

Installs: 286

Dependents: 0

Suggesters: 0

Security: 0

Stars: 12

Watchers: 1

Forks: 0

Open Issues: 0

dev-master 2014-09-17 17:34 UTC

Requires

  • php: >=5.4.0

GPL-2.0+ 1b0e48de06f15fee869870707c39585e3158c2b3

  • Dan Cotora <d.woop@bluevision.ro>

clientsessioncookiesecure

This package is not auto-updated.

Last update: 2025-05-06 05:20:42 UTC

README

Securely store PHP session information on the client side using encrypted cookies (with AES encryption). This is useful in cases where you don't want to store the session information on a file system or database (e.g. usually when using load balancing or multiple servers in different geographical regions).

Because there's a browser limit of around 4KB of data available for cookies, the session data is first compressed using the deflate algorithm. You should also keep in mind that the session data stored in the client side cookie is sent back to the server with every request so it's important to keep the data as small as possible.

Installation

You can either get the <SecureClientSideSessionHandler.php> file from GIT or you can install the library via Composer. To use Composer, simply add the following to your composer.json file.

{
    "require": {
        "dcro/secure-client-side-session-handler": "dev-master"
    }
}

How to use it?

By default, the class is configured to only set the data cookie over a secure HTTPS connection. This behaviour can be overridden by changing the secureCookie static var to false.

You can also customize the cookie specific settings (name, domain, path, etc.) using the cookieName, cookiePath, cookieDomain and cookieHTTPOnly static vars or you can customize the data compression level (for the deflate algorithm) using the compressionLevel static var (supported values from 0 to 9).

You can initialize the session handler with:

SecureClientSideSessionHandler::initialize('<your-encryption-key>', '<your-encryption-key-salt>');
session_start();

The encryption key and encryption key salt can be any string values (they don't need to be very long as the final encryption key is an SHA256 hash on the-encryption-key + random-salt + the-encryption-key-salt).

If you want to enable the session data cookie over HTTP (disabled by default), you'll need to initialize the session handler with:

SecureClientSideSessionHandler::$cookieSecure = false;
SecureClientSideSessionHandler::initialize('<your-encryption-key>', '<your-encryption-key-salt>');
session_start();

The default cookie name for the session handler is PHPSESSDATA. You can customize the cookie name with:

SecureClientSideSessionHandler::$cookieName = 'CUSTOM-COOKIE-NAME';
SecureClientSideSessionHandler::initialize('<your-encryption-key>', '<your-encryption-key-salt>');
session_start();