Download the PHP package ocramius/psr7-session without Composer
On this page you can find all versions of the php package ocramius/psr7-session. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download ocramius/psr7-session
More information about ocramius/psr7-session
Files in ocramius/psr7-session
Package psr7-session
Short Description Storageless PSR-7 Session support
License MIT
Informations about the package psr7-session
PSR-7 Storage-less HTTP Sessions
PSR7Session is a PSR-7 and PSR-15 compatible middleware that enables session without I/O usage in PSR-7 based applications.
Proudly brought to you by ocramius, malukenho and lcobucci.
Installation
Usage
You can use the PSR7Sessions\Storageless\Http\SessionMiddleware
in any
PSR-15
compatible middleware.
In a mezzio/mezzio
application, this would look like following:
After this, you can access the session data inside any middleware that
has access to the Psr\Http\Message\ServerRequestInterface
attributes:
You can do this also in asynchronous contexts and long-running processes, since no super-globals nor I/O are involved.
It is recommended that you use a key with lots of entropy, preferably generated using a cryptographically secure pseudo-random number generator (CSPRNG). You can use the CryptoKey tool to do this for you.
Note that you can also use asymmetric keys; please refer to
lcobucci/jwt
documentation:
- The
Configuration
object: https://lcobucci-jwt.readthedocs.io/en/stable/configuration/ - Supported algorithms: https://lcobucci-jwt.readthedocs.io/en/stable/supported-algorithms/
Session Hijacking mitigation
To mitigate the risks associated to cookie stealing and thus
session hijacking,
you can bind the user session to its IP ($_SERVER['REMOTE_ADDR']
) and
User-Agent ($_SERVER['HTTP_USER_AGENT']
) by enabling client fingerprinting:
If your PHP service is behind a reverse proxy of yours, you may need to retrieve the client IP from a different source of truth.
In such cases you can extract the information you need by writing a custom
\PSR7Sessions\Storageless\Http\ClientFingerprint\Source
implementation:
Examples
Simply browse to the examples
directory in your console, then run
Then try accessing http://localhost:9999
: you should see a counter
that increases at every page refresh
WHY?
In most PHP+HTTP related projects, ext/session
serves its purpose and
allows us to store server-side information by associating a certain
identifier to a visiting user-agent.
What is the problem with ext/session
?
This is all fair and nice, except for:
- relying on the
$_SESSION
superglobal - relying on the shutdown handlers in order to "commit" sessions to the storage
- having a huge limitation of number of active users (due to storage)
- having a lot of I/O due to storage
- having serialized data cross different processes (PHP serializes and
de-serializes
$_SESSION
for you, and there are security implications) - having to use a centralized storage for setups that scale horizontally
- having to use sticky sessions (with a "smart" load-balancer) when the storage is not centralized
- not designed to be used for multiple dispatch cycles
What does this project do?
This project tries to implement storage-less sessions and to mitigate the issues listed above.
Assumptions
- your sessions are fairly small and contain only few identifiers and
some CSRF tokens. Small means
< 400
bytes - data in your session is
JsonSerializable
or equivalent - data in your session is freely readable by the client
How does it work?
Session data is directly stored inside a session cookie as a JWT token.
This approach is not new, and is commonly used with Bearer
tokens in
HTTP/REST/OAuth APIs.
In order to guarantee that the session data is not modified, that the client can trust the information and that the expiration date is mutually agreed between server and client, a JWT token is used to transmit the information.
The JWT token is always signed to ensure that the user-agent is never able to manipulate the session. Both symmetric and asymmetric keys are supported for signing/verifying tokens.
Advantages
- no storage required
- no sticky sessions required (any server having a copy of the private or public keys can generate sessions or consume them)
- can transmit cleartext information to the client, allowing it to share some information with the server (a standard example is about sharing the "username" or "user-id" in a given session)
- can transmit encrypted information to the client, allowing server-only consumption of the information
- not affected by PHP serialization RCE attacks
- not limited to PHP process scope: can have many sessions per process
- no reliance on global state
- when in a multi-server setup, you may allow read-only access to servers that only have access to public keys, while writes are limited to servers that have access to private keys
- can be used over multiple dispatch cycles
Configuration options
Please refer to the configuration documentation.
Known limitations
Please refer to the limitations documentation.
Contributing
Please refer to the contributing notes.
License
This project is made public under the MIT LICENSE.
All versions of psr7-session with dependencies
dflydev/fig-cookies Version ^3.1.0
lcobucci/clock Version ^3.3.1
lcobucci/jwt Version ^5.4.0
psr/http-message Version ^1.1 || ^2.0
psr/http-server-handler Version ^1.0.2
psr/http-server-middleware Version ^1.0.2