GitHub - scourgen/sfCookieSessionStoragePlugin: Cookie-based session storage plugin for the symfony framework

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
lib/storage		lib/storage
LICENSE		LICENSE
README		README
package.xml.tmpl		package.xml.tmpl

Repository files navigation

sfCookieSessionStoragePlugin
============================

`sfCookieSessionStoragePlugin` is a cookie-based session storage plugin for the symfony framework. Using this storage, the session data is directly stored in a cookie, only on the client side (no persistent session on the server side).

This removes the need for a shared session storage in a load-balanced platform, since a request from the user also carries the session data. As compared with other solutions for load-balanced session (database or memcache storage), cookie-based session storage is easier to install, and much faster.

Usage
-----
 
You can use this storage by overriding the storage settings in your `factories.yml`: 
 
    [yml] 
    all: 
      storage: 
        class: sfCookieSessionStorage 
        param: 
          session_name: symfony #default value
          secret:       M@ke $ure you ch0Ose a v3ry long and unique salt 

The `secret` key is compulsory and has no default. If it is too short, a malicious user may be able to change its session data, so choose it wisely.

By default, the session data is stored in clear (although encoded in Base64), but signed with a unique algorithm. That means that the user can't change the data in the cookie, because the plugin will then detect it and reset the session.

Sessoin Data Cookie Name
------------------------

By default, the session data cookie uses the session id as name:

    symfony=skq8jnubpfji82dsaruc77l8q6
    skq8jnubpfji82dsaruc77l8q6=c3ltZm9ueS91c2VyL3N--d064bb928a49a03c3d2db2bc657df5b0ddd084ac
    
If you want to use a predefined name for the session data cookie, define the `cookie_name` parameter:

    [yml] 
    all: 
      storage: 
        class: sfCookieSessionStorage 
        param: 
          session_name: symfony #default value
          secret:       M@ke $ure you ch0Ose a v3ry long and unique salt 
          cookie_name:  symfony_data

That way, you can predict the session data cookie name, even on the client side:

    symfony=skq8jnubpfji82dsaruc77l8q6
    symfony_data=c3ltZm9ueS91c2VyL3N--d064bb928a49a03c3d2db2bc657df5b0ddd084ac
    
Session Data Size
-----------------

Being stored in a cookie, session data is limited to 4 Kb in size. Since the data is encoded in base64, and signed by a digest, it's a little less than that. 

That means that you shouldn't store objects in the session, and limit the session data to small elements.

If you end up with too large session data, you can enable compression on the cookie in the storage parameters:

    [yml] 
    all: 
      storage: 
        class: sfCookieSessionStorage 
        param: 
          session_name:    symfony #default value
          secret:          M@ke $ure you ch0Ose a v3ry long and unique salt
          use_compression: true

Note that the zlib extension must be anabled in your PHP settings for this option to work.

Data Storage Encryption
-----------------------

By defaut, the session data is encoded in Base64. If you need to access the session data on the client side, you may want to disable this encoding. Set the `use_encoding` parameter to `false` to store cookie data in clear. Note that PHP uses a special serialize algorithm for session data, so you may need to parse the cookie manually to access the data.

    [yml] 
    all: 
      storage: 
        class: sfCookieSessionStorage 
        param: 
          session_name: symfony #default value
          secret:       M@ke $ure you ch0Ose a v3ry long and unique salt
          use_encoding: false


Even when encoded in Base64, the session data can be decoded on the client size by a smart user, so don't store sensible information in the session. Alternatively, you can use mcrypt to encrypt the session data in the cookie with a reversible algorithm to secure the data. Be aware that this will slow down your pages, and reduce the interest of cookie-based session storage from a performance point of view.

Tip: If you use suhosin, there is no need to encrypt the session data, since suhosin does the encryption of the cookie itself.

Enable encryption in the `factories.yml` by changing the storage class to `sfCryptedCookieSessionStorage`:

    [yml] 
    all: 
      storage: 
        class: sfCryptedCookieSessionStorage 
        param: 
          session_name:    symfony   #default value 
          secret:          R5DSHY73F
          crypt_algorithm: tripledes #default value
          crypt_mode:      ecb       #default value

Using A Custom Encryption Algorithm
-----------------------------------

You can use your own methods for the cookie encoding and decoding logic; just create a class extending `sfCookieSessionStorageBase` and implement the `encode()` and `decode()` methods. Then, use your custom class in the storage settings.

Miscellaneous
-------------

 * This plugin is released nuder the MIT License
 * This plugin is based on previous work by Nicolas Perriault (http://trac.symfony-project.org/attachment/ticket/4447/sfCookieSessionStorage.diff)