sobstel / sesshin Goto Github PK

PHP secure advanced session manager.

License: MIT License

Shell 0.55% PHP 99.45%

php session

sesshin's Introduction

Sesshin

Object-oriented, extendable advanced session handling component written with security in mind that mitigates attacks like Session Hijacking, Session Fixation, Session Exposure, Sesion Poisoning, Session Prediction.

Awarded 1st place in php.pl contest.

Features:

smart session expiry control
prevents session adoption, i.e. session ids generated only by the component are acceptable (strict model)
sends cookie only when session really created
session id rotation (anti session hijacking), based on time and/or number of requests
configurable:
unlike PHP native mechanism, you don't have to use cron or resource-consuming 100% garbage collecting probability to ensure sessions are removed exactly after specified time
convention over configuration - possible to configure user-defined stores, listeners (observers), entropy callback and fingerprint generators, but all of them have defaults set out-of-the-box
100% independent from insecure native PHP session extension

Usage

Installation

composer require sobstel/sesshin

Create new session

Only when create() called, session cookie is created (for native PHP session handler cookie is present all the time whether it's needed or not).

$session->create();

Open existing session

If session was not created earlier, session is not opened and false is returned.

$session->open();

If you want to create new session if it does not exist already, just pass true as argument. It will call create() transparently.

$session->open(true);

Regenerate session id

// auto-regenerate after specified time (secs)
$session->setIdTtl(300);

// auto-regenerate after specified number of requests
$session->setIdRequestsLimit(10);

// manually
$session->regenerateId();

Listen to special events

use Sesshin\Event\Event;

$eventEmitter = $session->geEmitter();

$eventEmitter->addListener('sesshin.no_data_or_expired', function(Event $event) {
  die('Session expired or session adoption attack!');
});
$eventEmitter->addListener('sesshin.expired', function(Event $event) {
  die(sprintf('Session %s expired!', $event->getSession()->getId()));
});
$eventEmitter->addListener('sesshin.invalid_fingerprint', function(Event $event) {
  die('Invalid fingerprint, possible attack!');
});

User session

use Sesshin\User\Session as UserSession;
use Sesshin\Store\FileStore;

$userSession = new UserSession(new FileStore('/path/to/dir'));

$userSession->create();
$userSession->login(123);

if ($userSession->isLogged()) {
  echo sprintf('User %s is logged', $userSession->getUserId());

  // Or if you have some kind of UserRepository class, which can be used to fetch user data
  $user = UserRepository::find($userSession->getUserId());
  echo sprintf('User %s is logged', $user->getUsername());
}

Store

Sesshin provides default FileStore.

use Sesshin\Session;
use Sesshin\Store\FileStore;

$session = new Session(new FileStore('/path/to/dir'));

Note! Using /tmp as a directory is not secure on shared hosting.

Alternatively you can use one of numerous doctrine/cache providers.

use Sesshin\Store\DoctrineCache;
use Doctrine\Common\Cache\MemcachedCache;

$memcached = new Memcached;
// here configure memcached (add servers etc)

$session = new Session(new DoctrineCache(new MemcachedCache($memcached)));

You can also implement your own store using Sesshin\Store\StoreInterface.

Change entropy algorithm

Entropy is used to generate session id.

$session->getIdHandler()->setEntropyGenerator(new MyFancyEntropyGenerator());

MyFancyEntropyGenerator must implement Sesshin\EntropyGenerator\EntropyGeneratorInterface.

Change session ID store

By default session ID is stored in cookie, but sometimes you may need to force session id, eg. based on some token, query string var, etc.

$session->getIdHandler()->setIdStore(new MyFancyIdStore());

MyFancyIdStore must implement Sesshin\Id\Store\StoreInterface.

sesshin's People

Contributors

Stargazers

Watchers

Forkers

ashishtilara josiejosi marleyiam rkrx gabbyndu orion-inc yabafinet yellowheroes sbala69gmail salvakhiir rahulyhg russellvt

sesshin's Issues

How to activate the security flag in the session cookie ?

How to activate the security flag in the session cookie. ?

use Sesshin\User\Session as UserSession;
use Sesshin\Store\FileStore;

$session = new UserSession(new FileStore('/tmp'));
$session ->setIdTtl(300);
$session ->setIdRequestsLimit(10);

Specific usage behavior

Hi @sobstel ,
I have following questions to the specific usage behavior:

Can I set the domain of the session to *.domain.com? (domain AND subdomains can access the same session)
Where should I put the following settings? On the first page and then they are active until this session expires?

$session->setIdTtl(300);
$session->setIdRequestsLimit(10);
$session->setTtl(1440); ("Session is already opened" Message)

When the session is for a user who works 8 hours a day with the site, should the Ttl (Time to live) be 8 * 60 * 60? He should login once a day and the session should last the whole day.
Does $session->logout() delete the session AND the session data stored inside? Or is it something like session_write_close()?
What is the specific difference in
$session->logout()
$session->destroy()
$session->close()
and when to use each one? (which one to use for a synonym to session_write_close, which one for session logout)

Is there some link to donate for a coffee?

Thank you VERY MUCH!

Can't run demo script

Hi, I'm using the demo Script:

use Sesshin\User\Session as UserSession;
use Sesshin\Store\FileStore;

$userSession = new UserSession(new FileStore('mysrc'));

$userSession->create();
$userSession->login(123);

if($userSession->isLogged()) {
  	$user = UserRepository::find($userSession->getUserId());
  	echo sprintf('User %s is logged', $user->getUsername());
}

I have the demo.php script with this code and the directory mysrc in the same directory:
demo > demo.php
demo > mysrc

But I get following error:

Fatal error: Uncaught Error: Class 'UserRepository' not found in ...
Warning: file_put_contents(mysrc/9576082f0efc073691243dc165dbdae93d725069.sess): failed to open stream: No such file or directory in ...

Is the directory given by me wrong? How do I fix this?

Thanks in advance!

Use League Event's EmittTrait or EmitterAwareTrait

This way you can remove getEventEmitter and setEventEmitter from the session class.

Is it cover CSRF protection?

Following these best practices, is there any chance of my system being hacked (because of the session)?

Hi,
I was left with a doubt:
Following these best practices, is there any chance of my system being hacked (because of the session)?

I already verified that with the php PDO I have already solved failures that my system had

I'm analyzing other things that we use, see if there are flaws, thanks for the feddback right now

A few observations

Hey, I noticed you updated the code. I have a few observations about some general package things:

You could create a better changelog. Check keepachangelog.com for a few advices and examples.
There are no newlines between separate structures of the code (php tag, namespace, use, class, etc) which makes it less readable IMO.

Good work, I hope you can make it into the league. Maybe you could ping the owners again.

How to store and get values

Hi!

How do I save and fetch values inside a session using UserSession?

I have the demo script:

use Sesshin\User\Session as UserSession;
use Sesshin\Store\FileStore;

$userSession = new UserSession(new FileStore('mysrc'));

$userSession->create();
$userSession->login(123);

if($userSession->isLogged()) {
  	echo sprintf('User %s is logged', $userSession->getUserId());
}

How do I store the key "firstname" with the value "Eric" in the session?
And afterwards how to geht the key "firstname" from the session?

Thanks in advance!

Update Packagist.

The tag that is downloaded by composer by default is v1.1.0, but it is not updated.

Can you please make the tag increase to v1.1.1, and upgrade to Packagist?

[question] singleton instance / problem with PHPunit

Hello
It is necessary to create a class to manage a singleton instance, because I try to do the following and it does not work.

login.php

$userSession = new UserSession(new FileStore('/tmp')); // singleton?
$userSession->open(true);
$userSession->login($arrUserLogin[0]['UsuarioId']);
$userSession->setValue('name', 'Testing');

 if ($userSession->isLogged()) { // true
        return true;
}

checkLogin.php

$userSession = new UserSession(new FileStore('/tmp')); // singleton?
if ($userSession->isLogged()) { // false
       return true;
}
return false;

Provide a storage interface with an optional wrapper around doctrine cache

I know I was the one who suggested to rely on a specific storage implementation, but it doesn't seem like a good idea now.

The problem is that it is hard to be framework agnostic, because every framework might have it's internal implementation for such storage. Thus until a PSR or something like that is created we should allow people to use their own implementation. So I propose to add back the storage interface with methods based on your need and add a wrapper around doctrine/cache as a default implementation AND suggestion. This would also mean you have to make it a constructor requirement, but that is not such a big problem. In fact, I would be happier to see the most of dependencies in the constructor instead of setters.

PSR-6 is out

Hey there,

Just an update: PSR-6 is out. It is very young, so probably no wide support, but there is already a bidirectional doctrine cache bridge for it:

https://github.com/php-cache

Greif, I am afraid that is what I am experiencing with this

It all sounds good but following the documentation, I am experiencing issues.