A PHP port of hueniverse/iron

0.4.0 2016-05-23 05:10 UTC


Build Status Scrutinizer Code Quality Apache 2 License Total Downloads Author

iron-php is a PHP implementation of the Iron library. Iron generates encapsulated tokens suitable for embedding in cookies, query parameters, and HTTP headers.

$ composer require jsq/iron-php

Please consult the Iron [security considerations] (https://github.com/hueniverse/iron#security-considerations) before using this library.

Differences from Iron

iron-php supports the token format generated by Iron 4.0, with the following exceptions:

  • The payload encryption cipher method is configurable but cannot be set to any GCM or CTR variant of AES. This is due to a PHP limitation that will be addressed in PHP 7.1.
  • Separate encryption and signature passwords are not supported.



use Jsq\Iron;
use Jsq\Iron\Password;

// payloads can be anything that can be serialized by json_encode
$payload = ['an' => 'array']; 
// passwords must be at least 32 characters long
$password = base64_encode(openssl_random_pseudo_bytes(24));
// tokens can be set to expire after a fixed number of seconds
$ttl = 300;

// create a sealed token
$token = Iron\seal($payload, $password, $ttl);

// The token will be unsealable with the correct password until the token expires
$unsealed = Iron\unseal($token, $password);

// Named passwords can also be used
$password = new Password(base64_encode(openssl_random_pseudo_bytes(24)), 'my_password');

// create a sealed token with the named password
$token = Iron\seal($payload, $password);