PHPackages danack/asm - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. danack/asm ActiveLibrary[Utility & Helpers](/categories/utility) danack/asm ========== A userland replacement for PHP's session management. 0.0.3(10y ago)2112[1 issues](https://github.com/Danack/AdvancedSessionManagement/issues)2MITPHP Since Nov 1Pushed 2y ago1 watchersCompare [ Source](https://github.com/Danack/AdvancedSessionManagement)[ Packagist](https://packagist.org/packages/danack/asm)[ RSS](/packages/danack-asm/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (6)Versions (5)Used By (2) DO NOT USE ========== [](#do-not-use) It's not working correctly yet... Advanced session management =========================== [](#advanced-session-management) Terminology ----------- [](#terminology) ### UserProfile [](#userprofile) A UserProfile is a string that holds some information about the computer that is accessing the session. For example the computers IP address and useragent. When the session is accessed, the user-profile for the current request is checked against the user-profiles that have already been used to access the session. If they are not identical, the profileChanged callable is called. This can be used to detect and prevent an attacker from being able to access the session, even if they know the session ID. The implementation of the profileChanged callable must be supplied by the programmer who is using this library. For websites that are just showing pictures of funny cats, this security check could be very lax, or completely missing. For banks or other websites where security is paramount ### Zombie Session [](#zombie-session) [Session fixation](https://www.owasp.org/index.php/Session_fixation) is an attack where a 3rd party manages to figure out someone's session id, and can spoof. These attacks can be limited by using Session::regenerateSessionID, which generates a new session ID for the legitimate user. However that causes a problem when multiple requests arrive in a short amount of time. For example, a user browses to your website, opens 3 tabs pointing to different pages. ### Driver [](#driver) ASM can use several backend storage systems, the code that provide hese are called 'drivers'. Currently, the Redis and filesystem drivers have been implemented. Pull requests for drivers for other storage systems are very welcome. ### Locking [](#locking) - Lock on open - - Lock on write - Callbacks --------- [](#callbacks) ### Profile changed [](#profile-changed) function profileChanged(\\Asm\\Session $session, $newProfile, $previousProfiles) { if (isProfileChangeAllowed($newProfile, $previousProfiles) == false) { throw new UserDefinedException("Profile is too different."); } ``` $previousProfiles[] = $newProfile; return $previousProfiles; ``` } ### Zombie key accessed [](#zombie-key-accessed) Called when a user attempts to use a session ID that is actually now a zombie ID. function zombieKeyAccessed(\\Asm\\Session $session) { } ### Invalid session accessed [](#invalid-session-accessed) Called when a user attempts to use a session ID that is invalid. This would be useful for preventing flood attacks where someone is making a large number of requests in an attempt to guess a session ID function invalidSessionAccessed(\\Asm\\Session $session) { } ### Session Lost Lock [](#session-lost-lock) In some circumstances the lock on the session data can be lost. function lostLockCallable(\\Asm\\Session $session) { } Goals ----- [](#goals) ### Explicit locking [](#explicit-locking) Be explicit and expose locking similar to how databases expose different levels of locking, and allow applications select the appropriate level. e.g. Open in read only mode, acquire write lock when needed. ### Lockless updates [](#lockless-updates) - Expose Redis non-locking commands e.g. , , etc - to allow for explicitly lockless modifying of session data. ### Explicit updating [](#explicit-updating) Allow user to discard update? ### Security [](#security) - Notify clients when about invalid session IDs attempting to access the system. - Allow implementing strategies for re-generating session IDs e.g. rules based on user I.P. changing, locking session to specific user-agent. - Force cookie to be http only by default. ### Management [](#management) - User should spawn a regular task to cleanup old sessions, rather than have them garbage collected randomly via existing processes - Allow sessionIDs that have recently been regenerated to new session IDs to continue to access the same data for a short time to allow session regeneration with simultaneous Ajax requests to not be borked e.g. [bcit-ci/CodeIgniter#1900](https://github.com/bcit-ci/CodeIgniter/pull/1900) Misc ideas ---------- [](#misc-ideas) A redis pub-sub system where your session was subscribed to a pub-sub feed for the life of the request. If any other concurrent request modified the session your copy of the session would receive the publish update. session\_discard - why would that be needed? Why? ---- [](#why) //TODO - the whole way PHP has abstracted sessions with these functions just //sucks. You should be building up a complete response and then sending everything at once, //Not sending a header when this function is called. session\_start(); // session\_destroy is evil - the session variables can still be set through setSessionVariable and they // will work for the same page view. They dissapear on the next page view though. // Setting the $\_SESSION variable to an empty array deletes all previous entries correctly. //PHP automatically modified GET session behaviour - /\* Check whether the current request was referred to by \* an external site which invalidates the previously found id. \*/ /\* Finally check session id for dangarous characters \* Security note: session id may be embedded in HTML pages.\*/ Questions --------- [](#questions) ### Should session re-naming be supported? [](#should-session-re-naming-be-supported) ### PHP currently 'encrypts' the session data? [](#php-currently-encrypts-the-session-data) Tests ----- [](#tests) ### Unit tests [](#unit-tests) ``` php vendor/bin/phpunit -c test/phpunit.xml ``` ### Code style [](#code-style) ``` php vendor/bin/phpcs --standard=./test/codesniffer.xml --encoding=utf-8 --extensions=php -p -s lib ``` ### Health Score 25 — LowBetter than 37% of packages Maintenance10 Infrequent updates — may be unmaintained Popularity13 Limited adoption so far Community13 Small or concentrated contributor base Maturity56 Maturing project, gaining track record Bus Factor1 Top contributor holds 96.6% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~43 days Total 3 Last Release 3765d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/9db967c6005625e444a502fb830a30669b9fed53bfbc67e81a054508c0975a6b?d=identicon)[Danack](/maintainers/Danack) --- Top Contributors [![Danack](https://avatars.githubusercontent.com/u/1505719?v=4)](https://github.com/Danack "Danack (56 commits)")[![DanFuture](https://avatars.githubusercontent.com/u/28150630?v=4)](https://github.com/DanFuture "DanFuture (2 commits)") ### Code Quality TestsPHPUnit Code StylePHP\_CodeSniffer ### Embed Badge ![Health badge](/badges/danack-asm/health.svg) ``` [![Health](https://phpackages.com/badges/danack-asm/health.svg)](https://phpackages.com/packages/danack-asm) ``` ### Alternatives [grumpydictator/firefly-iii Firefly III: a personal finances manager. 22.8k69.3k](/packages/grumpydictator-firefly-iii)[blair2004/nexopos The Free Modern Point Of Sale System build with Laravel, TailwindCSS and Vue.js. 1.2k2.3k](/packages/blair2004-nexopos)[vcian/pulse-active-sessions A Laravel Pulse card to show active user session. 11469.2k](/packages/vcian-pulse-active-sessions)[splitsoftware/split-sdk-php Split SDK for PHP 161.3M2](/packages/splitsoftware-split-sdk-php)[vwo/vwo-php-sdk VWO server side sdk 12166.4k](/packages/vwo-vwo-php-sdk)[ada-u/chocoflake 64bit time based id generator 14117.3k](/packages/ada-u-chocoflake) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)