HTTPS clone URL
Subversion checkout URL
Cookie-based session storage plugin for the symfony framework
Fetching latest commit...
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
sfCookieSessionStoragePlugin ============================ `sfCookieSessionStoragePlugin` is a cookie-based session storage plugin for the symfony framework. Using this storage, the session data is directly stored in a cookie, only on the client side (no persistent session on the server side). This removes the need for a shared session storage in a load-balanced platform, since a request from the user also carries the session data. As compared with other solutions for load-balanced session (database or memcache storage), cookie-based session storage is easier to install, and much faster. Usage ----- You can use this storage by overriding the storage settings in your `factories.yml`: [yml] all: storage: class: sfCookieSessionStorage param: session_name: symfony #default value secret: M@ke $ure you ch0Ose a v3ry long and unique salt The `secret` key is compulsory and has no default. If it is too short, a malicious user may be able to change its session data, so choose it wisely. By default, the session data is stored in clear (although encoded in Base64), but signed with a unique algorithm. That means that the user can't change the data in the cookie, because the plugin will then detect it and reset the session. Sessoin Data Cookie Name ------------------------ By default, the session data cookie uses the session id as name: symfony=skq8jnubpfji82dsaruc77l8q6 skq8jnubpfji82dsaruc77l8q6=c3ltZm9ueS91c2VyL3N--d064bb928a49a03c3d2db2bc657df5b0ddd084ac If you want to use a predefined name for the session data cookie, define the `cookie_name` parameter: [yml] all: storage: class: sfCookieSessionStorage param: session_name: symfony #default value secret: M@ke $ure you ch0Ose a v3ry long and unique salt cookie_name: symfony_data That way, you can predict the session data cookie name, even on the client side: symfony=skq8jnubpfji82dsaruc77l8q6 symfony_data=c3ltZm9ueS91c2VyL3N--d064bb928a49a03c3d2db2bc657df5b0ddd084ac Session Data Size ----------------- Being stored in a cookie, session data is limited to 4 Kb in size. Since the data is encoded in base64, and signed by a digest, it's a little less than that. That means that you shouldn't store objects in the session, and limit the session data to small elements. If you end up with too large session data, you can enable compression on the cookie in the storage parameters: [yml] all: storage: class: sfCookieSessionStorage param: session_name: symfony #default value secret: M@ke $ure you ch0Ose a v3ry long and unique salt use_compression: true Note that the zlib extension must be anabled in your PHP settings for this option to work. Data Storage Encryption ----------------------- By defaut, the session data is encoded in Base64. If you need to access the session data on the client side, you may want to disable this encoding. Set the `use_encoding` parameter to `false` to store cookie data in clear. Note that PHP uses a special serialize algorithm for session data, so you may need to parse the cookie manually to access the data. [yml] all: storage: class: sfCookieSessionStorage param: session_name: symfony #default value secret: M@ke $ure you ch0Ose a v3ry long and unique salt use_encoding: false Even when encoded in Base64, the session data can be decoded on the client size by a smart user, so don't store sensible information in the session. Alternatively, you can use mcrypt to encrypt the session data in the cookie with a reversible algorithm to secure the data. Be aware that this will slow down your pages, and reduce the interest of cookie-based session storage from a performance point of view. Tip: If you use suhosin, there is no need to encrypt the session data, since suhosin does the encryption of the cookie itself. Enable encryption in the `factories.yml` by changing the storage class to `sfCryptedCookieSessionStorage`: [yml] all: storage: class: sfCryptedCookieSessionStorage param: session_name: symfony #default value secret: R5DSHY73F crypt_algorithm: tripledes #default value crypt_mode: ecb #default value Using A Custom Encryption Algorithm ----------------------------------- You can use your own methods for the cookie encoding and decoding logic; just create a class extending `sfCookieSessionStorageBase` and implement the `encode()` and `decode()` methods. Then, use your custom class in the storage settings. Miscellaneous ------------- * This plugin is released nuder the MIT License * This plugin is based on previous work by Nicolas Perriault (http://trac.symfony-project.org/attachment/ticket/4447/sfCookieSessionStorage.diff)