-
-
Notifications
You must be signed in to change notification settings - Fork 2
Session cookie
HTTP is inherently a stateless protocol, which means that it doesn't retain information between different requests. To overcome this limitation, session cookies are used to keep track of a user's actions and data as they interact with a web application.
PHP.Gt/Session provides a custom SessionHandler implementation that behaves by storing session data to the system's temporary directory, and sets some default values.
The session ID is the unique value that identifies each session, so must be cryptographically secure to avoid the ability to guess. The generation of the session ID is left to the inbuilt mechanism within PHP, although the sid_length and sid_bits_per_character config variables are set to secure default values, as per the const values that are defined on the Gt\Session\Session class.
A typical session ID value looks like this (notice a longer value than default on typical PHP installs):
965sghffo11fm8aidg84lf8c7np4edna779o4mr0gnmbg93b665b7grdv405m5r5
The default PHP session cookie is stored with a name of PHPSESSID, but libraries can change this by providing appropriate values in the $config parameter of the Gt\Session\Session constructor. In WebEngine applications, this is managed using the project's config.ini, and WebEngine defaults the value to WebEngineSession.
Same-site cookies are a security feature implemented in browsers to help mitigate Cross-Site Request Forgery (CSRF) attacks and to provide a level of control over which origins are allowed to receive the cookie. The SameSite attribute can be set to either Lax, Strict, or None.
This library sets the default SameSite value to Lax, rather than the stricter Strict value. This decision is made to strike a balance between security and usability. With SameSite=Strict, users following legitimate links from other sites to your application will find that they aren't logged in any more, which can be confusing and disrupt their experience. SameSite=Lax prevents the cookie from being sent in cross-site subrequests (mitigating CSRF attacks), but still sends the cookie when users navigate to the site, which is a common and legitimate scenario.
Therefore, SameSite=Lax is often recommended as a good default, as it provides CSRF protection without significantly impacting the user experience.
Php.Gt/Session is a separately maintained component of PHP.Gt/WebEngine