{"id":18550306,"url":"https://github.com/xp-forge/cookie-sessions","last_synced_at":"2026-01-04T22:05:55.319Z","repository":{"id":38028874,"uuid":"498091534","full_name":"xp-forge/cookie-sessions","owner":"xp-forge","description":"Cookie-based sessions","archived":false,"fork":false,"pushed_at":"2024-03-24T10:26:44.000Z","size":31,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-12T23:02:12.324Z","etag":null,"topics":["cookie-session","php7","php8","sessions","web","xp-framework"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xp-forge.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-05-30T20:44:19.000Z","updated_at":"2022-05-30T21:55:29.000Z","dependencies_parsed_at":"2024-02-04T10:25:56.300Z","dependency_job_id":"7a6ad083-9906-4a89-b3aa-6cb1461ed4a7","html_url":"https://github.com/xp-forge/cookie-sessions","commit_stats":{"total_commits":15,"total_committers":1,"mean_commits":15.0,"dds":0.0,"last_synced_commit":"61063ef92d54a3b5a2f7f1d3ab9d8ef67bdb73c7"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xp-forge%2Fcookie-sessions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xp-forge%2Fcookie-sessions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xp-forge%2Fcookie-sessions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xp-forge%2Fcookie-sessions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xp-forge","download_url":"https://codeload.github.com/xp-forge/cookie-sessions/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254319722,"owners_count":22051075,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cookie-session","php7","php8","sessions","web","xp-framework"],"created_at":"2024-11-06T21:04:11.087Z","updated_at":"2026-01-04T22:05:55.313Z","avatar_url":"https://github.com/xp-forge.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"Cookie sessions for the XP Framework\n========================================================================\n\n[![Build status on GitHub](https://github.com/xp-forge/cookie-sessions/workflows/Tests/badge.svg)](https://github.com/xp-forge/cookie-sessions/actions)\n[![XP Framework Module](https://raw.githubusercontent.com/xp-framework/web/master/static/xp-framework-badge.png)](https://github.com/xp-framework/core)\n[![BSD Licence](https://raw.githubusercontent.com/xp-framework/web/master/static/licence-bsd.png)](https://github.com/xp-framework/core/blob/master/LICENCE.md)\n[![Requires PHP 7.4+](https://raw.githubusercontent.com/xp-framework/web/master/static/php-7_4plus.svg)](http://php.net/)\n[![Supports PHP 8.0+](https://raw.githubusercontent.com/xp-framework/web/master/static/php-8_0plus.svg)](http://php.net/)\n[![Latest Stable Version](https://poser.pugx.org/xp-forge/cookie-sessions/version.svg)](https://packagist.org/packages/xp-forge/cookie-sessions)\n\nCookie-based session implementation for the [sessions library](https://github.com/xp-forge/sessions/pull/10). Purely client-side, they require no serverside storage and thus scale very well. However, they also come with downsides, [discussed below](https://github.com/xp-forge/cookie-sessions#security).\n\nUsage\n-----\nInside the routing setup:\n\n```php\nuse web\\session\\CookieBased;\nuse web\\auth\\SessionBased;\nuse util\\Secret;\n\n$secret= new Secret('y+lCLaMzxlnHjkTt3FoPVQ_x5XTHSr78'); // 32 bytes!\n$sessions= new CookieBased($secret);\n\n$auth= new SessionBased($flow, $sessions);\nreturn $auth-\u003erequired(function($req, $res) {\n  // Use $req-\u003evalue('user')\n});\n```\n\nA binary-safe 32 byte secret key can be generated using the following:\n\n```bash\n$ xp -d 'base64_encode(random_bytes(24))'\nstring(32) \"ai4BO6rpwgezJztTalg5rt29XNJwMRMQ\"\n```\n\nSecurity\n--------\nAs stated [here](https://github.com/SaintFlipper/EncryptedSession#why-use-server-side-session-storage-instead-):\n\n\u003e [The] security risk of putting the session data in the session cookie is the danger of \"session replay\" attacks. If a valid session cookie is captured from a user's browser (it's visible in the browser's developer console) then that cookie can be copied to another machine and used in a rogue session at any time.\n\nThough the same applies for server-side sessions with session IDs transmitted via cookies, we can destroy the attached session on the server-side to invalidate in these cases, e.g. by deleting the session file or removing the relevant row from the database. For cookie-based sessions, there is no way to remotely guarantee session destruction - and thus no way for a safe user-based \"Log me off on all devices\" functionality.\n\nHowever, if we use cookie-based sessions to store short-lived access tokens, we can reduce this risk significantly: A replay can only occur during that window of time. For Microsoft 365, this time is roughly one hour.\n\n👉 **Long story short**: If there's an easy possibility to use server-side sessions, do that. If dependencies come at a high cost and you have ways of managing the risk, or for development purposes, this implementation can be a valid choice.\n\nInternals\n---------\nThe session data is encrypted in the cookie and then encoded in base64 to use 7 bit only. The first byte controls the algorithm used:\n\n* `S` for Sodium, using [sodium_crypto_box_open()](https://www.php.net/sodium_crypto_box_open), requires Sodium extension\n* `O` for OpenSSL, using [openssl_encrypt()](https://www.php.net/openssl_encrypt), requires OpenSSL extension\n\nThe encrypted value is signed by a hash to detect any [bit flipping attacks](https://en.wikipedia.org/wiki/Bit-flipping_attack).\n\nCompression\n-----------\nTo prevent hitting the [browser cookie limits](http://browsercookielimits.iain.guru/) too early, the cookie values are compressed using LZW (*which is [relatively easy to implement](http://www.rosettacode.org/wiki/LZW_compression#Simpler_Version) and gives good savings without requiring an extra PHP extension compiled in*) if it's deemed worthwhile. If the cookie value is compressed, the indicators above appear in lowercase (`s` and `o` instead of `S` and `O`).\n\nAn example:\n\n* JSON value (response from `https://api.twitter.com/1.1/account/verify_credentials.json`): **2814 bytes**\n* Encrypted and encoded cookie value: **3807 bytes** (*pretty close to the limit!*)\n* If compressed, decreases to **2477 bytes** (*more than a kilobyte saved, 65% of the size*)\n\nSee also\n--------\n* https://github.com/SaintFlipper/EncryptedSession\n* https://blog.miguelgrinberg.com/post/how-secure-is-the-flask-user-session","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxp-forge%2Fcookie-sessions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxp-forge%2Fcookie-sessions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxp-forge%2Fcookie-sessions/lists"}