TABLE OF CONTENTS
FILES CONFIG NOTES
Files and config list for this module, and some notes (if any).
FILES LIST
LIB-Session.php
The module itself.HOOK-SESS-Save.php
Hook to modify what is being saved into the session.HOOK-SESS-Load.php
Hook to modify what to do on session resume.lib/JWT
The Firebase PHP-JWT library.
RELATED CONFIG
- In
CORE-Config.php
:JWT_ALGO
Encryption algorithm, defaultHS256
.JWT_EXPIRE
Token expiry, default0
(none).JWT_ISSUER
Issuer name, set this to your company name or domain.JWT_SECRET
Private key, set this to your own. Generate a long and stinky random string.
LIB-Session.php - private $cookie
The “cookie template”. Change this to suit your project needs accordingly.
SESSION CONCEPTS
The session module uses JSON Web Token, not the default PHP session.
A QUICK TRACE & EXAMPLE
Not going to explain line-by-line. Here’s a quick example of using the session library to track user login.
FIRST VISIT – SIGN IN
- In
CORE-Go.php
–$_CORE->load("Session")
will start the session. - When the user signs in, we put the user data into the session –
$_SESSION["user"] = $_CORE->User->get(USERID)
. - Call
$_CORE->Session->save()
. This will create an encryptedcbsess
cookie containing$_SESSION
.
TAKE NOTE – We did not do session_start()
. Instead of saving session data in a temporary session file on the server, we save it in an encrypted cookie in the user’s browser.
SUBSEQUENT VISITS
- User sends
cbsess
cookie back to the server. $_CORE->load("Session")
, this time round the constructor will “unpack” the cookie and put the data back into$_SESSION
.- To sign off, call
$_CORE->Session->destroy()
. This will clear thecbsess
cookie.
CONTROLLING DATA TO SAVE IN COOKIE
// (A) ONLY SAVE USER ID INTO JWT
if (isset($data["user"])) {
$data["user"] = ["user_id" => $data["user"]["user_id"]];
}
Sharp code ninjas would have noticed – Isn’t it stupid to save data such as the user password in the cookie? This is where “hooks” come in handy, HOOK-SESS-Save.php
will be called right before the cookie is created. Use this to remove whatever “stupid data” you don’t want to save in the cookie.
CONTROLLING DATA TO LOAD ON “UNPACKING COOKIE”
// (A) LOAD USER INFO INTO SESSION
if (isset($this->data["user"])) {
$user = $this->DB->fetch(
"SELECT * FROM `users` WHERE `user_id`=?", [$this->data["user"]["user_id"]]
);
if (is_array($user)) {
unset($user["user_password"]);
$this->data["user"] = $user;
} else {
$this->destroy();
throw new Exception("Invalid or expired session.");
}
}
Sharp code ninjas would have noticed – If we only save the user ID in the cookie, how are we going to get the rest of the user data? This is where another hook comes in handy. HOOK-SESS-Load.php
is called right after the cookie is unpacked. Use this to get more/check for more information.
THE SUMMARY
If you are still lost:
- Put all session data into
$_SESSION
as usual. - Call
$_CORE->Session->save()
to “commit save”. - Call
$_CORE->Session->destroy()
to “end session”. - Use
HOOK-SESS-Save.php
to control what data to save into the cookie. - Use
HOOK-SESS-Load.php
to load more data when unpacking the cookie.
SESSION LIBRARY REFERENCES
Don’t think this is necessary, but just for the “official documentation”.
Automatically unpacks $_COOKIE["cbsess"]
and puts the data into $_SESSION
.
Puts the current $_SESSION
into $_COOKIE["cbsess"]
.
Clears $_SESSION
and $_COOKIE["cbsess"]
.