seba1rx/sessionadmin

php session admin featuring url control and security against hijicking

Maintainers

Details

github.com/seba1rx/SessionManager

Source

Issues

Installs: 43

Dependents: 0

Suggesters: 0

Security: 0

Stars: 2

Watchers: 1

Forks: 0

Open Issues: 0

v1.0.0 2024-01-26 18:37 UTC

MIT 84188b843e8738774d508c0c98be80dc27f7054c

  • Sebastian Basilio <seba1rx.woop@gmail.com>

This package is auto-updated.

Last update: 2025-06-30 23:14:56 UTC

README

Simple PHP session manager implementing security against hijicking

Requires PHP 8

install with composer require seba1rx/sessionadmin:dev-master

if you get a message saying Could not find a version of package seba1rx/sessionadmin matching your minimum-stability (stable). then add "minimum-stability": "dev" to your composer.json file before installing

Usage:

On each PHP page, call activateSession() method as you would with session_start()

In order to use this class, you can use the Seba1rx\MySessionAdmin class or you can create your own class to extend Seba1rx\SessionAdmin Class

There are 2 public methods:

activateSession() and createUserSession()

You will find a working demo in /demo , the demo shows a basic website implementing the class, or you can clone this repo to your local dev environment to try out the demo.

This class can be useful in websites that have public content available but also restricted content accessible only if you log in

Features:

  • Creates a session for guest and users
  • Named session
  • 3% chances of regenerating session id on each request
  • Prevents hijicking
  • Define allowed URL array for guests, that can be expanded when user logs in according to system profile
  • session destruction on obsolete request

Here are some screen caps:

Index, public content

page2, login, public content

private content

Here is a demo authenticator

require('../vendor/autoload.php');

use Seba1rx\MySessionAdmin;

$rxSessionAdmin = new MySessionAdmin(
    [
        "sessionLifetime" => 3600,
        "allowedURLs" => ["index.php", "page2.php"],
        "keys" => [
            "some_key" => "some_value",
            "foo" => "bar",
        ],
   ]
);
$rxSessionAdmin->activateSession();

// this scripts simulates an authentication, you should implement your own validation

$validationResponse = [
    'ok' => false,
    'msg' => null,
];


if(
    isset($_POST["useremail"]) && !empty($_POST["useremail"]) && isset($_POST["userpassword"]) && !empty($_POST["userpassword"])
    // no other validation so you can use any user/email in this demo
){
    // lets assume we query the system database and the data matching the credentials is the following
    $data = [
        "id" => 123,
        "name" => "Sebastian",
        "nickname" => "seba1rx",
        "avatar" => "cat-space.gif",
        "birthDate" => "1985-05-21",
        "country" => "Chile",
        "email" => $_POST["useremail"]
    ];

    // up to now we are in guest mode... lets call the method to create the user session
    $rxSessionAdmin->createUserSession($data['id']);

    // since $_SESSION is open, there is no point in encapsulating the data with get and set... lets add the data to SESSION['data']
    foreach($data AS $dataName => $dataValue){
        $_SESSION['data'][$dataName] = $dataValue;
    }

    // here you woud iterate to add allowed urls according to assigned profile
    // foreach($ProfileAllowedUrls AS $url){
    //    $_SESSION['allowedUrl'][] = $url;
    // }

    $validationResponse['ok'] = true;
    $validationResponse['msg'] = 'Wellcome '.$_SESSION['data']['name'];

}else{
    $validationResponse['ok'] = false;
    $validationResponse['msg'] = 'Complete the form fields!';
}

echo json_encode($validationResponse);