Skip to content
/ php-secure-client-side-sessions Public

Securely store PHP session information on the client side using cookies (session data is encrypted & compressed)

License

GPL-2.0 license
12 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dcro/php-secure-client-side-sessions

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SecureClientSideSessionHandler.php
SecureClientSideSessionHandler.php
 
 
composer.json
composer.json
 
 

Repository files navigation

PHP Secure Client Side Session Handler

Securely store PHP session information on the client side using encrypted cookies (with AES encryption). This is useful in cases where you don't want to store the session information on a file system or database (e.g. usually when using load balancing or multiple servers in different geographical regions).

Because there's a browser limit of around 4KB of data available for cookies, the session data is first compressed using the deflate algorithm. You should also keep in mind that the session data stored in the client side cookie is sent back to the server with every request so it's important to keep the data as small as possible.

Installation

You can either get the <SecureClientSideSessionHandler.php> file from GIT or you can install the library via Composer. To use Composer, simply add the following to your composer.json file.

{
    "require": {
        "dcro/secure-client-side-session-handler": "dev-master"
    }
}

How to use it?

By default, the class is configured to only set the data cookie over a secure HTTPS connection. This behaviour can be overridden by changing the secureCookie static var to false.

You can also customize the cookie specific settings (name, domain, path, etc.) using the cookieName, cookiePath, cookieDomain and cookieHTTPOnly static vars or you can customize the data compression level (for the deflate algorithm) using the compressionLevel static var (supported values from 0 to 9).

You can initialize the session handler with:

SecureClientSideSessionHandler::initialize('<your-encryption-key>', '<your-encryption-key-salt>');
session_start();

The encryption key and encryption key salt can be any string values (they don't need to be very long as the final encryption key is an SHA256 hash on the-encryption-key + random-salt + the-encryption-key-salt).

If you want to enable the session data cookie over HTTP (disabled by default), you'll need to initialize the session handler with:

SecureClientSideSessionHandler::$cookieSecure = false;
SecureClientSideSessionHandler::initialize('<your-encryption-key>', '<your-encryption-key-salt>');
session_start();

The default cookie name for the session handler is PHPSESSDATA. You can customize the cookie name with:

SecureClientSideSessionHandler::$cookieName = 'CUSTOM-COOKIE-NAME';
SecureClientSideSessionHandler::initialize('<your-encryption-key>', '<your-encryption-key-salt>');
session_start();

About

Securely store PHP session information on the client side using cookies (session data is encrypted & compressed)

Resources

Readme

License

GPL-2.0 license
Activity

Stars

12 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages