PHPackages xp-forge/cookie-sessions - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. xp-forge/cookie-sessions ActiveLibrary xp-forge/cookie-sessions ======================== Cookie-based sessions v0.4.0(4mo ago)05BSD-3-ClausePHPPHP >=7.4.0CI passing Since May 30Pushed 4mo ago1 watchersCompare [ Source](https://github.com/xp-forge/cookie-sessions)[ Packagist](https://packagist.org/packages/xp-forge/cookie-sessions)[ Docs](http://xp-framework.net/)[ RSS](/packages/xp-forge-cookie-sessions/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (4)Dependencies (3)Versions (5)Used By (0) Cookie sessions for the XP Framework ==================================== [](#cookie-sessions-for-the-xp-framework) [![Build status on GitHub](https://github.com/xp-forge/cookie-sessions/workflows/Tests/badge.svg)](https://github.com/xp-forge/cookie-sessions/actions)[![XP Framework Module](https://raw.githubusercontent.com/xp-framework/web/master/static/xp-framework-badge.png)](https://github.com/xp-framework/core)[![BSD Licence](https://raw.githubusercontent.com/xp-framework/web/master/static/licence-bsd.png)](https://github.com/xp-framework/core/blob/master/LICENCE.md)[![Requires PHP 7.4+](https://raw.githubusercontent.com/xp-framework/web/master/static/php-7_4plus.svg)](http://php.net/)[![Supports PHP 8.0+](https://raw.githubusercontent.com/xp-framework/web/master/static/php-8_0plus.svg)](http://php.net/)[![Latest Stable Version](https://camo.githubusercontent.com/f9efcecb470f198ba9ee63887423b522062183929316806808fa848ead192975/68747470733a2f2f706f7365722e707567782e6f72672f78702d666f7267652f636f6f6b69652d73657373696f6e732f76657273696f6e2e737667)](https://packagist.org/packages/xp-forge/cookie-sessions) Cookie-based session implementation for the [sessions library](https://github.com/xp-forge/sessions/pull/10). Purely client-side, they require no serverside storage and thus scale very well. However, they also come with downsides, [discussed below](https://github.com/xp-forge/cookie-sessions#security). Usage ----- [](#usage) Inside the routing setup: ``` use web\session\CookieBased; use web\auth\SessionBased; use util\Secret; $secret= new Secret('y+lCLaMzxlnHjkTt3FoPVQ_x5XTHSr78'); // 32 bytes! $sessions= new CookieBased($secret); $auth= new SessionBased($flow, $sessions); return $auth->required(function($req, $res) { // Use $req->value('user') }); ``` A binary-safe 32 byte secret key can be generated using the following: ``` $ xp -d 'base64_encode(random_bytes(24))' string(32) "ai4BO6rpwgezJztTalg5rt29XNJwMRMQ" ``` Security -------- [](#security) As stated [here](https://github.com/SaintFlipper/EncryptedSession#why-use-server-side-session-storage-instead-): > \[The\] security risk of putting the session data in the session cookie is the danger of "session replay" attacks. If a valid session cookie is captured from a user's browser (it's visible in the browser's developer console) then that cookie can be copied to another machine and used in a rogue session at any time. Though the same applies for server-side sessions with session IDs transmitted via cookies, we can destroy the attached session on the server-side to invalidate in these cases, e.g. by deleting the session file or removing the relevant row from the database. For cookie-based sessions, there is no way to remotely guarantee session destruction - and thus no way for a safe user-based "Log me off on all devices" functionality. However, if we use cookie-based sessions to store short-lived access tokens, we can reduce this risk significantly: A replay can only occur during that window of time. For Microsoft 365, this time is roughly one hour. 👉 **Long story short**: If there's an easy possibility to use server-side sessions, do that. If dependencies come at a high cost and you have ways of managing the risk, or for development purposes, this implementation can be a valid choice. Internals --------- [](#internals) The session data is encrypted in the cookie and then encoded in base64 to use 7 bit only. The first byte controls the algorithm used: - `S` for Sodium, using [sodium\_crypto\_box\_open()](https://www.php.net/sodium_crypto_box_open), requires Sodium extension - `O` for OpenSSL, using [openssl\_encrypt()](https://www.php.net/openssl_encrypt), requires OpenSSL extension The encrypted value is signed by a hash to detect any [bit flipping attacks](https://en.wikipedia.org/wiki/Bit-flipping_attack). Compression ----------- [](#compression) To prevent hitting the [browser cookie limits](http://browsercookielimits.iain.guru/) too early, the cookie values are compressed using LZW (*which is [relatively easy to implement](http://www.rosettacode.org/wiki/LZW_compression#Simpler_Version) and gives good savings without requiring an extra PHP extension compiled in*) if it's deemed worthwhile. If the cookie value is compressed, the indicators above appear in lowercase (`s` and `o` instead of `S` and `O`). An example: - JSON value (response from `https://api.twitter.com/1.1/account/verify_credentials.json`): **2814 bytes** - Encrypted and encoded cookie value: **3807 bytes** (*pretty close to the limit!*) - If compressed, decreases to **2477 bytes** (*more than a kilobyte saved, 65% of the size*) See also -------- [](#see-also) - - ### Health Score 33 — LowBetter than 75% of packages Maintenance75 Regular maintenance activity Popularity4 Limited adoption so far Community7 Small or concentrated contributor base Maturity41 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~438 days Total 4 Last Release 134d ago PHP version history (2 changes)v0.1.0PHP >=7.0.0 v0.4.0PHP >=7.4.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/07d18d882c8b4aaf3466432f64018214f2771eda333202175431ee7233795376?d=identicon)[thekid](/maintainers/thekid) --- Top Contributors [![thekid](https://avatars.githubusercontent.com/u/696742?v=4)](https://github.com/thekid "thekid (22 commits)") --- Tags cookie-sessionphp7php8sessionswebxp-frameworkmodulexp ### Embed Badge ![Health badge](/badges/xp-forge-cookie-sessions/health.svg) ``` [![Health](https://phpackages.com/badges/xp-forge-cookie-sessions/health.svg)](https://phpackages.com/packages/xp-forge-cookie-sessions) ``` PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)