PHPackages loculus/session-security-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. loculus/session-security-bundle ActiveLibrary[Security](/categories/security) loculus/session-security-bundle =============================== Bundle improving session security in Symfony based applications v0.8.0(3y ago)34MITPHPPHP ^8.0 Since Jun 28Pushed 3y ago1 watchersCompare [ Source](https://github.com/evolic/session-security-bundle)[ Packagist](https://packagist.org/packages/loculus/session-security-bundle)[ RSS](/packages/loculus-session-security-bundle/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (15)Versions (36)Used By (0) Session Security Bundle ======================= [](#session-security-bundle) About ----- [](#about) > **Session Fixation** is a security attack that permits an attacker to hijack a valid user session. Applications that don't assign new session IDs when authenticating users are vulnerable to this attack. > > > Symfony can handle session fixation issue by using one of three different strategies: - **NONE** - don't change the session after authentication, this is not recommended; - **MIGRATE** (**default**) - the session ID is updated, but the rest of session attributes are kept; - **INVALIDATE** - the entire session is regenerated, so the session ID is updated but all the other session attributes are lost. This bundle was created to provide session security improvements for Symfony 6.0 applications. Session Security Bundle fixes the issue, when session cookie is hijacked from some user agent/device and used in another one. ### The issue [](#the-issue) Let's assume that you have two computers: - one with Ubuntu, where you use Mozilla Firefox 102.0.1, - and the second with Windows 10, where you use Google Chrome 100.0; If you log in into your application as `jane_doe` and then copy session cookie (with name **PHPSESSID**) from one computer to the other, you will be also logged in as `jane_doe` on that computer. This is because Symfony does not protect your application against session cookie hijacking. Requirements ------------ [](#requirements) Source code of this bundle is written in PHP in version 8.0 - the same as Symfony 6.0 Three validators base on [browscap](http://browscap.org/) - a Browser Capabilities Project, which allows you to detect - in lite version: browser name, browser version, device type, the platform (operating system); - in full version: above and browser capabilities e.g. if JavaScript, CSS, frames, tables are supported, etc. ### Browscap installation [](#browscap-installation) To install browscap just download `browscap.ini` file (lite or full) and set the path to it in your `php.ini` file. Then restart your PHP service (and web server), and you should be able to detect browsers and their platforms based on user agent header. More about browscap you can [read on php.net website](https://www.php.net/manual/en/function.get-browser.php). Bundle installation ------------------- [](#bundle-installation) To add this bundle to your application just run following command: ``` composer req loculus/session-security-bundle ``` This command will add the latest version of this bundle to your `config/bundles.php` Then you need to configure validators and session invalidation strategies. If you don't do it you will get following error message: ``` The child config "session_validators" under "session_security" must be configured. ``` ### Configuration [](#configuration) You need to create new Yaml file `config/packages/loculus_session_security.yaml` Minimal configuration of the bundle is as follows: ``` loculus_session_security: session_validators: [] session_invalidation_strategies: [] ``` Above configuration: - does not enable any session validator, - and does not enable any session invalidation strategy. So you have this bundle enabled, but your application works as before. #### Available session validators [](#available-session-validators) You can use following session validators: - `user_agent_validator` - it bases on `$_SERVER['HTTP_USER_AGENT']` and it is not recommended, because users can upgrade their web browsers, which would cause undesired behaviour; - `ip_address_validator` - it bases on `$_SERVER['REMOTE_ADDR']` and it is also not recommended, because user's IP address can frequently change, which would cause undesired behaviour; - `browser_name_validator` - it bases on browser name, which is provided by browscap library and **is highly recommended**; example values: `Firefox`, `Chrome`, `Safari`, `Opera`; - `browser_platform_validator` - it bases on browser platform (operating system), which is provided by browscap library and **is highly recommended**; example values: `Linux`, `Win10`, `iOS`, `Android`; - `browser_device_type_validator` - it bases on device type, which is provided by browscap library and **is highly recommended**; example values: `Desktop`, `Tablet`, `Mobile Phone`; #### Available session invalidation strategies [](#available-session-invalidation-strategies) You can use following session invalidation strategies: - `session_regenerate_id_strategy` - regenerates session id and then destroys whole session; this strategy **should be enabled** if we want to protect our application against session hijacking; - `throw_invalid_session_exception_strategy` - throws `InvalidSessionException`, which causes Error 500 for current request; - `throw_cookie_theft_exception_strategy` - throws `CookieTheftException`, which is provided with `symfony/security-core`, and forces Symfony to redirect user to page with log in form; this strategy **should be enabled** if we want to protect our application against session hijacking; #### Invalid configuration [](#invalid-configuration) You cannot enable neither session validator nor session invalidation strategy, which is not available. So following bundle configuration will throw the exception: ``` loculus_session_security: session_validators: - 'unknown_validator' session_invalidation_strategies: - 'unknown_strategy' ``` You can add your own session validator or session invalidation strategy by implementing specified interface: - `ValidatorInterface` for session validator, - and `InvalidationStrategyInterface` for session invalidation strategy. #### Recommended configuration [](#recommended-configuration) We recommend following configuration: ``` loculus_session_security: session_validators: - 'browser_name_validator' - 'browser_platform_validator' - 'browser_device_type_validator' session_invalidation_strategies: - 'session_regenerate_id_strategy' - 'throw_cookie_theft_exception_strategy' ``` In above case we check browser name, platform and device type. We don't check browser version (such validator is not present in the bundle). If validation manager detects invalid session, then `InvalidSessionEvent` is dispatched. Invalidation session listener intercepts this event and then executes invalidation strategy manager, which handles the issue in the way specified in configuration. In above case session id is regenerated, invalid session is destroyed, and user is redirected to log in page, because `CookieTheftException` is being thrown. Note for web developers ----------------------- [](#note-for-web-developers) If you are web developer and use responsive mode in your web browsers you can experience (un)expected log out. This is because your user agent header will be different if you specify some mobile device, but you were logged in on your desktop. Redirecting to log in page will occur each time, when you change your device in responsive mode. Tests ----- [](#tests) ### Unit tests [](#unit-tests) ``` php vendor/bin/phpunit ``` ### Code coverage [](#code-coverage) ``` XDEBUG_MODE=coverage php vendor/bin/phpunit --coverage-clover=build/reports/phpunit-clover.xml --coverage-html=build/reports/coverage --log-junit=build/reports/phpunit-junit.xml ``` ### Health Score 25 — LowBetter than 37% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity7 Limited adoption so far Community9 Small or concentrated contributor base Maturity54 Maturing project, gaining track record Bus Factor1 Top contributor holds 92.6% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 34 Last Release 1404d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/17f02484ca4bdd20d74bfd0e275e3988f4a282025bfdae1e4bf0a712661a70a4?d=identicon)[evolic](/maintainers/evolic) --- Top Contributors [![evolic](https://avatars.githubusercontent.com/u/3501450?v=4)](https://github.com/evolic "evolic (75 commits)")[![loculus-poland](https://avatars.githubusercontent.com/u/32485145?v=4)](https://github.com/loculus-poland "loculus-poland (6 commits)") ### Code Quality TestsPHPUnit Static AnalysisPHPStan, Psalm Code StylePHP\_CodeSniffer Type Coverage Yes ### Embed Badge ![Health badge](/badges/loculus-session-security-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/loculus-session-security-bundle/health.svg)](https://phpackages.com/packages/loculus-session-security-bundle) ``` ### Alternatives [sylius/sylius E-Commerce platform for PHP, based on Symfony framework. 8.4k5.6M651](/packages/sylius-sylius)[symfony/security-bundle Provides a tight integration of the Security component into the Symfony full-stack framework 2.5k172.9M1.8k](/packages/symfony-security-bundle)[shopware/platform The Shopware e-commerce core 3.3k1.5M3](/packages/shopware-platform)[sulu/sulu Core framework that implements the functionality of the Sulu content management system 1.3k1.3M152](/packages/sulu-sulu)[contao/core-bundle Contao Open Source CMS 1231.6M2.4k](/packages/contao-core-bundle)[prestashop/prestashop PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. 9.0k15.4k](/packages/prestashop-prestashop) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)