Download the PHP package loculus/session-security-bundle without Composer

On this page you can find all versions of the php package loculus/session-security-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package session-security-bundle

Session Security Bundle

About

Session Fixation is a security attack that permits an attacker to hijack a valid user session. Applications that don't assign new session IDs when authenticating users are vulnerable to this attack.

https://symfony.com/doc/current/reference/configuration/security.html

Symfony can handle session fixation issue by using one of three different strategies:

This bundle was created to provide session security improvements for Symfony 6.0 applications.

Session Security Bundle fixes the issue, when session cookie is hijacked from some user agent/device and used in another one.

The issue

Let's assume that you have two computers:

If you log in into your application as jane_doe and then copy session cookie (with name PHPSESSID) from one computer to the other, you will be also logged in as jane_doe on that computer.

This is because Symfony does not protect your application against session cookie hijacking.

Requirements

Source code of this bundle is written in PHP in version 8.0 - the same as Symfony 6.0

Three validators base on browscap - a Browser Capabilities Project, which allows you to detect

Browscap installation

To install browscap just download browscap.ini file (lite or full) and set the path to it in your php.ini file.

Then restart your PHP service (and web server), and you should be able to detect browsers and their platforms based on user agent header.

More about browscap you can read on php.net website.

Bundle installation

To add this bundle to your application just run following command:

This command will add the latest version of this bundle to your config/bundles.php

Then you need to configure validators and session invalidation strategies.

If you don't do it you will get following error message:

Configuration

You need to create new Yaml file config/packages/loculus_session_security.yaml

Minimal configuration of the bundle is as follows:

Above configuration:

So you have this bundle enabled, but your application works as before.

Available session validators

You can use following session validators:

Available session invalidation strategies

You can use following session invalidation strategies:

Invalid configuration

You cannot enable neither session validator nor session invalidation strategy, which is not available.

So following bundle configuration will throw the exception:

You can add your own session validator or session invalidation strategy by implementing specified interface:

Recommended configuration

We recommend following configuration:

In above case we check browser name, platform and device type. We don't check browser version (such validator is not present in the bundle).

If validation manager detects invalid session, then InvalidSessionEvent is dispatched. Invalidation session listener intercepts this event and then executes invalidation strategy manager, which handles the issue in the way specified in configuration.

In above case session id is regenerated, invalid session is destroyed, and user is redirected to log in page, because CookieTheftException is being thrown.

Note for web developers

If you are web developer and use responsive mode in your web browsers you can experience (un)expected log out. This is because your user agent header will be different if you specify some mobile device, but you were logged in on your desktop.

Redirecting to log in page will occur each time, when you change your device in responsive mode.

Tests

Unit tests

Code coverage


All versions of session-security-bundle with dependencies

PHP Build Version
Package Version
Requires php Version ^8.0
psr/log Version ^1|^2|^3
symfony/config Version ^6.0
symfony/dependency-injection Version ^6.0
symfony/event-dispatcher Version ^6.0
symfony/http-foundation Version ^6.0
symfony/http-kernel Version ^6.0
symfony/security-core Version ^6.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package loculus/session-security-bundle contains the following files

Loading the files please wait ....