Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/byjg/php-jwt-session

JwtSession is a PHP session replacement. Instead of use FileSystem, just use JWT TOKEN. The implementation follow the SessionHandlerInterface.
https://github.com/byjg/php-jwt-session

handler jwt jwt-token jwtsession php php-sessions php7 stateless stateless-components

Last synced: 10 months ago
JSON representation

JwtSession is a PHP session replacement. Instead of use FileSystem, just use JWT TOKEN. The implementation follow the SessionHandlerInterface.

Awesome Lists containing this project

README 

          
# JwtSession



[![Build Status](https://github.com/byjg/jwt-session/actions/workflows/phpunit.yml/badge.svg?branch=master)](https://github.com/byjg/jwt-session/actions/workflows/phpunit.yml) 

[![Opensource ByJG](https://img.shields.io/badge/opensource-byjg-success.svg)](http://opensource.byjg.com) 

[![GitHub source](https://img.shields.io/badge/Github-source-informational?logo=github)](https://github.com/byjg/jwt-session/) 

[![GitHub license](https://img.shields.io/github/license/byjg/jwt-session.svg)](https://opensource.byjg.com/opensource/licensing.html) 

[![GitHub release](https://img.shields.io/github/release/byjg/jwt-session.svg)](https://github.com/byjg/jwt-session/releases/)



JwtSession is a PHP session replacement. Instead of use FileSystem, just use JWT TOKEN. 

The implementation following the SessionHandlerInterface.



# How to use:



Before the session_start() use the command: 



```php

withSecret('your super base64url encoded secret key');



$handler = new \ByJG\Session\JwtSession($sessionConfig);

session_set_save_handler($handler, true);

```



Now, all your `$_SESSION` variable will be saved directly to a JWT Token!!



## Secret key

Make sure that you are providing a base64url encoded key.

 

# Motivation



The default PHP Session does not work in different servers using round robin or other algorithms.

This occurs because PHP Session are saved by default in the file system. 



There are implementations can save the session to REDIS or MEMCACHED, for example. 

But this requires to you create a new server to store this session and creates a single point of failure. 

To avoid this you have to create REDIS/MEMCACHED clusters. 



But if you save the session into JWT Token you do not need to create a new server.

Just to use. 



You can read more in this Codementor's article: 

[Using JSON Web Token (JWT) as a PHP Session](https://www.codementor.io/byjg/using-json-web-token-jwt-as-a-php-session-axeuqbg1m)



# Security Information



The JWT Token cannot be changed, but it can be read. 

This implementation save the JWT into a client cookie.  

Because of this _**do not** store in the JWT Token sensible data like passwords_.

 

# Install



```

composer require "byjg/jwt-session"

```



 

# Setting the validity of JWT Token



```php

withSecret('your super base64url encoded secret key')

    ->withTimeoutMinutes(60);   // You can use withTimeoutHours(1)



$handler = new \ByJG\Session\JwtSession($sessionConfig);

session_set_save_handler($handler, true);

```



# Setting the different Session Contexts



```php

withSecret('your super base64url encoded secret key')

    ->withSessionContext('MYCONTEXT');



$handler = new \ByJG\Session\JwtSession($sessionConfig);

session_set_save_handler($handler, true);

```



# Create the handler and replace the session handler



```php

withSecret('your super base64url encoded secret key')

    ->replaceSessionHandler();



$handler = new \ByJG\Session\JwtSession($sessionConfig);

```



# Specify cookie domain 



```php

withSecret('your super base64url encoded secret key')

    ->withCookie('.mydomain.com', '/')

    ->replaceSessionHandler();



$handler = new \ByJG\Session\JwtSession($sessionConfig);

```



# Uses RSA Private/Public Keys



```php

withRsaSecret($secret, $public)

    ->replaceSessionHandler();



$handler = new \ByJG\Session\JwtSession($sessionConfig);

```



If you want to know more details about how to create RSA Public/Private Keys access:

https://github.com/byjg/jwt-wrapper 



# How it works



We store a cookie named `AUTH_BEARER_` followed by the context name with the session name. The PHPSESSID cookie is still created because

PHP create it by default but we do not use it;



## Dependencies



```mermaid  

flowchart TD  

    byjg/jwt-session --> byjg/jwt-wrapper  

```



----  

[Open source ByJG](http://opensource.byjg.com)