Download the PHP package xp-forge/cookie-sessions without Composer
On this page you can find all versions of the php package xp-forge/cookie-sessions. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download xp-forge/cookie-sessions
More information about xp-forge/cookie-sessions
Files in xp-forge/cookie-sessions
Package cookie-sessions
Short Description Cookie-based sessions
License BSD-3-Clause
Homepage http://xp-framework.net/
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package cookie-sessions
Cookie sessions for the XP Framework
Cookie-based session implementation for the sessions library. Purely client-side, they require no serverside storage and thus scale very well. However, they also come with downsides, discussed below.
Usage
Inside the routing setup:
A binary-safe 32 byte secret key can be generated using the following:
Security
As stated here:
[The] security risk of putting the session data in the session cookie is the danger of "session replay" attacks. If a valid session cookie is captured from a user's browser (it's visible in the browser's developer console) then that cookie can be copied to another machine and used in a rogue session at any time.
Though the same applies for server-side sessions with session IDs transmitted via cookies, we can destroy the attached session on the server-side to invalidate in these cases, e.g. by deleting the session file or removing the relevant row from the database. For cookie-based sessions, there is no way to remotely guarantee session destruction - and thus no way for a safe user-based "Log me off on all devices" functionality.
However, if we use cookie-based sessions to store short-lived access tokens, we can reduce this risk significantly: A replay can only occur during that window of time. For Microsoft 365, this time is roughly one hour.
👉 Long story short: If there's an easy possibility to use server-side sessions, do that. If dependencies come at a high cost and you have ways of managing the risk, or for development purposes, this implementation can be a valid choice.
Internals
The session data is encrypted in the cookie and then encoded in base64 to use 7 bit only. The first byte controls the algorithm used:
Sfor Sodium, using sodium_crypto_box_open(), requires Sodium extensionOfor OpenSSL, using openssl_encrypt(), requires OpenSSL extension
The encrypted value is signed by a hash to detect any bit flipping attacks.
Compression
To prevent hitting the browser cookie limits too early, the cookie values are compressed using LZW (which is relatively easy to implement and gives good savings without requiring an extra PHP extension compiled in) if it's deemed worthwhile. If the cookie value is compressed, the indicators above appear in lowercase (s and o instead of S and O).
An example:
- JSON value (response from
https://api.twitter.com/1.1/account/verify_credentials.json): 2814 bytes - Encrypted and encoded cookie value: 3807 bytes (pretty close to the limit!)
- If compressed, decreases to 2477 bytes (more than a kilobyte saved, 65% of the size)
See also
All versions of cookie-sessions with dependencies
xp-forge/sessions Version ^3.0
php Version >=7.0.0