PHP download

Download the PHP package psr7-sessions/storageless without Composer

On this page you can find all versions of the php package psr7-sessions/storageless. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download psr7-sessions/storageless
More information about psr7-sessions/storageless
Files in psr7-sessions/storageless

Vendor psr7-sessions
Package storageless
Short Description Storageless PSR-7 Session support
License MIT

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of psr7-sessions/storageless

Informations about the package storageless

PSR-7 Storage-less HTTP Sessions

PSR7Session is a PSR-7 and PSR-15 compatible middleware that enables session without I/O usage in PSR-7 based applications.

Proudly brought to you by ocramius, malukenho and lcobucci.

Installation

Usage

You can use the PSR7Sessions\Storageless\Http\SessionMiddleware in any PSR-15 compatible middleware.

In a mezzio/mezzio application, this would look like following:

After this, you can access the session data inside any middleware that has access to the Psr\Http\Message\ServerRequestInterface attributes:

You can do this also in asynchronous contexts and long-running processes, since no super-globals nor I/O are involved.

It is recommended that you use a key with lots of entropy, preferably generated using a cryptographically secure pseudo-random number generator (CSPRNG). You can use the CryptoKey tool to do this for you.

Note that you can also use asymmetric keys; please refer to lcobucci/jwt documentation:

The Configuration object: https://lcobucci-jwt.readthedocs.io/en/stable/configuration/
Supported algorithms: https://lcobucci-jwt.readthedocs.io/en/stable/supported-algorithms/

Session Hijacking mitigation

To mitigate the risks associated to cookie stealing and thus session hijacking, you can bind the user session to its IP ($_SERVER['REMOTE_ADDR']) and User-Agent ($_SERVER['HTTP_USER_AGENT']) by enabling client fingerprinting:

If your PHP service is behind a reverse proxy of yours, you may need to retrieve the client IP from a different source of truth. In such cases you can extract the information you need by writing a custom \PSR7Sessions\Storageless\Http\ClientFingerprint\Source implementation:

Examples

Simply browse to the examples directory in your console, then run

Then try accessing http://localhost:9999: you should see a counter that increases at every page refresh

WHY?

In most PHP+HTTP related projects, ext/session serves its purpose and allows us to store server-side information by associating a certain identifier to a visiting user-agent.

What is the problem with `ext/session`?

This is all fair and nice, except for:

relying on the $_SESSION superglobal
relying on the shutdown handlers in order to "commit" sessions to the storage
having a huge limitation of number of active users (due to storage)
having a lot of I/O due to storage
having serialized data cross different processes (PHP serializes and de-serializes $_SESSION for you, and there are security implications)
having to use a centralized storage for setups that scale horizontally
having to use sticky sessions (with a "smart" load-balancer) when the storage is not centralized
not designed to be used for multiple dispatch cycles

What does this project do?

This project tries to implement storage-less sessions and to mitigate the issues listed above.

Assumptions

your sessions are fairly small and contain only few identifiers and some CSRF tokens. Small means < 400 bytes
data in your session is JsonSerializable or equivalent
data in your session is freely readable by the client

How does it work?

Session data is directly stored inside a session cookie as a JWT token.

This approach is not new, and is commonly used with Bearer tokens in HTTP/REST/OAuth APIs.

In order to guarantee that the session data is not modified, that the client can trust the information and that the expiration date is mutually agreed between server and client, a JWT token is used to transmit the information.

The JWT token is always signed to ensure that the user-agent is never able to manipulate the session. Both symmetric and asymmetric keys are supported for signing/verifying tokens.

Advantages

no storage required
no sticky sessions required (any server having a copy of the private or public keys can generate sessions or consume them)
can transmit cleartext information to the client, allowing it to share some information with the server (a standard example is about sharing the "username" or "user-id" in a given session)
can transmit encrypted information to the client, allowing server-only consumption of the information
not affected by PHP serialization RCE attacks
not limited to PHP process scope: can have many sessions per process
no reliance on global state
when in a multi-server setup, you may allow read-only access to servers that only have access to public keys, while writes are limited to servers that have access to private keys
can be used over multiple dispatch cycles

Configuration options

Please refer to the configuration documentation.

Known limitations

Please refer to the limitations documentation.

Contributing

Please refer to the contributing notes.

License

This project is made public under the MIT LICENSE.

All versions of storageless with dependencies

PHP Build Version

Package Version

Version 9.1.0 Release 20. Nov 2023
create-project require 1 people choosed require and
0 people choosed create-project.

Download

Download latest version of storageless from vendor psr7-sessions

Requires php Version ~8.2.0 || ~8.3.0
dflydev/fig-cookies Version ^3.1.0
lcobucci/clock Version ^3.2.0
lcobucci/jwt Version ^5.1.0
psr/http-message Version ^1.1 || ^2.0
psr/http-server-handler Version ^1.0.2
psr/http-server-middleware Version ^1.0.2

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package psr7-sessions/storageless contains the following files

Loading the files please wait ....