kooser/session

Securely manage and preserve session data.

v5.0.1 2020-09-12 12:10 UTC

README

Continuous Integration

Installation

The best way to install Session Lock is through composer. If you do not have composer installed you can install it directly from the composer website. After composer is successfully installed run the command line code below.

composer require omatamix/session-lock

Usage

Session Manager

The session manger comes with a simple api.

use Omatamix\SessionLock\SessionManager;

// Construct a new session manager.
$session = new SessionManager();

Start or resume a session.

$session->start();

Check to see if our session is running.

if ($session->exists()) {
    echo "The session is running!";
}

The put method sets a session variable.

$session->put('hello', 'world');

This checks to see if this session variable is set.

if ($session->has('hello')) {
    echo "The session variable exists.";
}

The delete method deletes a session variable.

$session->delete('hello');

The get method gets the session variables value.

echo "Hello " . $session->get('hello') . "!";

The flash method does the same as get but flash will delete the session variable after retrievale.

echo "Hello " . $session->flash('hello') . "!";

Stop a session.

$session->stop();

Session Regeneration

It is very easy to update the current session id with a newly generated one.

$session->regerate();

Session Fingerprinting

This session manager comes with a built-in session fingerprinting which in a way improves session security. When you create a session handler instance, session fingerprinting is enabled by defualt, it binds your remote ip and user agent. If you do not want this enabled you can turn it off with.

$session = new SessionManager([
    'fingerprinting' => false,
]);

You can also disable binding the remote ip or user agent like this.

$session = new SessionManager([
    'bind_ip_address' => false, // If set to true we will bind the ip address else dont.
    'bind_user_agent' => false, // If set to true we will bind the user agent else dont.
]);

If you are using a trusted proxy you can set the remote ip with this.

$session = new SessionManager([
    'use_ip' => '127.0.0.1',
]);

Session Handlers

You can also set how you session information is stored using session handlers,

use Omatamix\SessionLock\SessionHandlers\CacheSessionHandler;

$session = new SessionManager();
$session->setSaveHandler(new CacheSessionHandler(/** A `psr/cache` or `psr/simple-cache` pool. */));

Supported

  • Omatamix\SessionLock\SessionHandlers\CacheSessionHandler::class
  • Omatamix\SessionLock\SessionHandlers\CookieSessionHandler::class
  • Omatamix\SessionLock\SessionHandlers\DatabaseSessionHandler::class
  • Omatamix\SessionLock\SessionHandlers\NullSessionHandler::class

Encryption Adapters

This library also includes encrypted session handlers.

use Defuse\Crypto\Key;
use Omatamix\SessionLock\Encryption\Adapter\Defuse;
use Omatamix\SessionLock\Encryption\Encrypted;

$session = new SessionManager();
$session->setSaveHandler(new Encrypeted(new CacheSessionHandler(/** A `psr/cache` or `psr/simple-cache` pool. */), new Defuse(Key::createNewRandomKey()));

// All session data will now be encrpyted using the `defuse` adapter.

Supported

  • Omatamix\SessionLock\Encryption\Adapter\Defuse::class
  • Omatamix\SessionLock\Encryption\Adapter\Halite::class

Session Config

You can also pass session configuration through the session manager constructor method.

$session = new SessionManager([
    'config' => [
        'use_cookies'      => true,
        'use_only_cookies' => true,
        'cookie_httponly'  => true,
        'cookie_samesite'  => 'Lax',
        'use_strict_mode'  => true,
    ]
]);

Security Vulnerabilities

If you discover a security vulnerability within Session Lock, please send an e-mail to Nicholas via omatamix@gmail.com. All security vulnerabilities will be promptly addressed.

Contributing

All contributions are welcome! If you wish to contribute.

License

This project is licensed under the terms of the MIT License.