Download the PHP package jpm/session-sharing-bundle without Composer
On this page you can find all versions of the php package jpm/session-sharing-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download jpm/session-sharing-bundle
More information about jpm/session-sharing-bundle
Files in jpm/session-sharing-bundle
Package session-sharing-bundle
Short Description Allow session sharing among known servers using sync cryptography
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package session-sharing-bundle
Sharing Session Pack (Symfony)
A Symfony sharing session package that allows a remote server to request and receive the sessionId from a host (IDP). The data is transmitted over the HTTP protocol, which is protected by synchronous encryption. Once the systems share the session via a REDIS service, the remote system can retrieve the AuthUser information.
Install the package with:
Usage
PoC Demonstration
In the next section you will find the step-by-step of how to install and use, but if you prefer visit the video with the presentation of the bundle usage.
Settings on Host Side
- install the
composer require jpm/session-sharing-bundle. - then run
php bin/console jpm:generate-sync-keyto generate a random key.- This key is sensitive information that you must keep secret.
- The output key usually starts with:
def....
-
in your
.envfile, add the following keys:JPM_TOKEN_SYNC_SECRETwith your generated key.JPM_APP_URLwith your own address- JPM_KNOWN_REMOTE_HOSTS` known host domains with a comma between each entry. Here is an example:
- now to create a subscriber use the command:
php bin/console make:subscriber RemoteAuthor just create a class manually in./src/EventSubscriber/RemoteAuthSubscriber.php
Settings on a Remote Side
- Install the
composer require jpm/session-sharing-bundletoo -
Now in your
.envfile add the following keys:JPM_TOKEN_SYNC_SECRETwith the same key you are using in the hostJPM_APP_URLwith your real domainJPM_IDP_URLwith the host route which do login action Here is an example:
- Now needed to create a Subscriber, use the command:
php bin/console make:subscriber SessionManageror just create a class manually in./src/EventSubscriber/SessionManagerSubscriber.php
Basically, this allows your remote project to retrieve the SessionId from the HOST via a request and be retrieved by REDIS/database without any issues.
Architecture life cycle
This bundle uses the Symfony components to solve the problem of sharing a session between different Symfony projects while maintaining a minimal level of security, even when hosted under different domains.
use case example:
- the unknown user accesses
http://remote.test. - the request is intercepted by
SessionManagerSubscriber, and the user is redirected to the identity provider via callback info (HTTP 302). - the IDP (host) receives a GET request:
http://host-idp.test/login?callback=aHR0cDovL3JlbW90ZS50ZXN0. - the
RemoteAuthSubscriberfrom the IDP (host) intercepts the call, decrypts the callback parameter, extracts the domain, and confirms if it belongs to the allowed list of domains (JPM_KNOWN_REMOTE_HOSTS).- If not: authorization is performed/query but not forwarded to the unknown requester.
- once the request is validated, the IDP checks if the user has a valid session open.
- If not, the IDP authentication form is displayed to the user and the callback parameter is maintained.
- once the session is created (or exists), the "SessionID" is encrypted with the sync key and defuse lib.
- now the user is redirected back to the callback URL with the token parameter containing the encrypted value.
- now the remote application receives a request:
http://remote.test?token=ZGVmNTAyMDAwYjliZDI5ODU5NGQxYzQwYTE... - again the
SessionManagerSubscriberintercepts the request, but once it finds the token, it decodes and decrypts it, restores the session, and finally lets the identified user access the resource
Note of responsibility
Security is super important and sharing a database/redis between different systems is far from recommended sending sensitive data between GET requests is terrible, but unfortunately, sometimes we need to create some kind of solution for these cases.
The natural solution for session sharing is to use JWT or some other type of token-based solution. I did this project as a study lab, and it might offer us some insights for something different, so I don't recommend using this in production unless you understand the risks of sharing sensitive data between systems and HTTP communications.
All versions of session-sharing-bundle with dependencies
symfony/dependency-injection Version ^6.3
symfony/http-kernel Version ^6.3
defuse/php-encryption Version ^2.4
symfony/console Version ^6.3
symfony/security-bundle Version ^6.3
symfony/serializer-pack Version ^1.3
symfony/dotenv Version ^6.3
symfony/yaml Version ^6.3