Initial Commit

Author: byjg

.gitignore

@@ -0,0 +1,3 @@
+.idea
+composer.lock
+vendor

README.md

@@ -0,0 +1,67 @@
+# JwtSession
+
+JwtSession is a PHP session replacement. Instead of use FileSystem, just use JWT TOKEN. 
+The implementation following the SessionHandlerInterface.
+
+## How to use:
+
+Before the session_start() use the command: 
+
+```php
+<?php
+$handler = new \ByJG\Session\JwtSession('your.domain.com', 'your super secret key');
+session_set_save_handler($handler, true);
+```
+
+Now, all your `$_SESSION` variable will be saved directly to a JWT Token!!
+ 
+## Motivation
+
+The default PHP Session does not work in different servers using round robin or other algorithms.
+This occurs because PHP Session are saved by default in the file system. 
+
+There are implementations can save the session to REDIS or MEMCACHED, for example. 
+But this requires to you create a new server to store this session and creates a single point of failure. 
+To avoid this you have to create REDIS/MEMCACHED clusters. 
+
+But if you save the session into JWT Token you do not need to create a new server.
+Just to use. 
+
+## Security Information
+
+The JWT Token cannot be changed, but it can be read. 
+This implementation save the JWT into a client cookie.  
+Because of this _**do not** store in the JWT Token sensible data like passwords_.
+ 
+## Install
+
+```
+composer require "byjg/jwt-session=1.0.*"
+```
+
+## Customizations
+ 
+### Setting the validity of JWT Token
+
+```php
+<?php
+// Setting to 50 minutes
+$handler = new \ByJG\Session\JwtSession('your.domain.com', 'your super secret key', 50);
+session_set_save_handler($handler, true);
+```
+
+### Setting the different Session Contexts
+
+```php
+<?php
+$handler = new \ByJG\Session\JwtSession('your.domain.com', 'your super secret key', 20, 'MYCONTEXT');
+session_set_save_handler($handler, true);
+```
+
+### Create the handler and replace the session handler
+
+```php
+<?php
+$handler = new \ByJG\Session\JwtSession('your.domain.com', 'your super secret key');
+$handler->replaceSessionHandler(true);
+```

composer.json

@@ -0,0 +1,22 @@
+{
+    "name": "byjg/jwt-session",
+    "description": "Use JWT Token as a PHP Session",
+    "authors": [
+        {
+            "name": "João Gilberto Magalhães",
+            "email": "joao@byjg.com.br"
+        }
+    ],
+    "autoload": {
+        "psr-4": {
+            "ByJG\\Session\\": "src/"
+        }
+    },
+    "minimum-stability": "dev",
+    "prefer-stable": true,
+    "require": {
+        "php": ">=5.6.0",
+        "byjg/jwt-wrapper": "1.0.*"
+    },
+    "license": "MIT"
+}

src/JwtSession.php

@@ -0,0 +1,207 @@
+<?php
+/**
+ * User: jg
+ * Date: 14/02/17
+ * Time: 12:52
+ */
+
+namespace ByJG\Session;
+
+use ByJG\Util\JwtWrapper;
+use SessionHandlerInterface;
+
+class JwtSession implements SessionHandlerInterface
+{
+    const COOKIE_PREFIX = "AUTH_BEARER_";
+
+    protected $serverName;
+
+    protected $secretKey;
+
+    protected $timeOutMinutes;
+
+    protected $suffix = "default";
+
+    /**
+     * JwtSession constructor.
+     *
+     * @param $serverName
+     * @param $secretKey
+     * @param int $timeOutMinutes
+     */
+    public function __construct($serverName, $secretKey, $timeOutMinutes = 20, $sessionContext = 'default')
+    {
+        $this->serverName = $serverName;
+        $this->secretKey = $secretKey;
+        $this->timeOutMinutes = $timeOutMinutes;
+        $this->suffix = $sessionContext;
+    }
+
+    public function replaceSessionHandler($startSession = true)
+    {
+        if (session_status() != PHP_SESSION_NONE) {
+            throw new \Exception('Session already started!');
+        }
+
+        session_set_save_handler($this, true);
+
+        if ($startSession) {
+            ob_start();
+            session_start();
+        }
+    }
+
+    /**
+     * Close the session
+     *
+     * @link http://php.net/manual/en/sessionhandlerinterface.close.php
+     * @return bool <p>
+     * The return value (usually TRUE on success, FALSE on failure).
+     * Note this value is returned internally to PHP for processing.
+     * </p>
+     * @since 5.4.0
+     */
+    public function close()
+    {
+        return true;
+    }
+
+    /**
+     * Destroy a session
+     *
+     * @link http://php.net/manual/en/sessionhandlerinterface.destroy.php
+     * @param string $session_id The session ID being destroyed.
+     * @return bool <p>
+     * The return value (usually TRUE on success, FALSE on failure).
+     * Note this value is returned internally to PHP for processing.
+     * </p>
+     * @since 5.4.0
+     */
+    public function destroy($session_id)
+    {
+        setcookie(self::COOKIE_PREFIX . $this->suffix, null);
+        return true;
+    }
+
+    /**
+     * Cleanup old sessions
+     *
+     * @link http://php.net/manual/en/sessionhandlerinterface.gc.php
+     * @param int $maxlifetime <p>
+     * Sessions that have not updated for
+     * the last maxlifetime seconds will be removed.
+     * </p>
+     * @return bool <p>
+     * The return value (usually TRUE on success, FALSE on failure).
+     * Note this value is returned internally to PHP for processing.
+     * </p>
+     * @since 5.4.0
+     */
+    public function gc($maxlifetime)
+    {
+        return true;
+    }
+
+    /**
+     * Initialize session
+     *
+     * @link http://php.net/manual/en/sessionhandlerinterface.open.php
+     * @param string $save_path The path where to store/retrieve the session.
+     * @param string $name The session name.
+     * @return bool <p>
+     * The return value (usually TRUE on success, FALSE on failure).
+     * Note this value is returned internally to PHP for processing.
+     * </p>
+     * @since 5.4.0
+     */
+    public function open($save_path, $name)
+    {
+        return true;
+    }
+
+    /**
+     * Read session data
+     *
+     * @link http://php.net/manual/en/sessionhandlerinterface.read.php
+     * @param string $session_id The session id to read data for.
+     * @return string <p>
+     * Returns an encoded string of the read data.
+     * If nothing was read, it must return an empty string.
+     * Note this value is returned internally to PHP for processing.
+     * </p>
+     * @since 5.4.0
+     */
+    public function read($session_id)
+    {
+        try {
+            if (isset($_COOKIE[self::COOKIE_PREFIX . $this->suffix])) {
+                $jwt = new JwtWrapper($this->serverName, $this->secretKey);
+                $data = $jwt->extractData($_COOKIE[self::COOKIE_PREFIX . $this->suffix]);
+
+                return $this->serializeSessionData($data->data);
+            }
+            return '';
+        } catch (\Exception $ex) {
+            return '';
+        }
+    }
+
+    /**
+     * Write session data
+     *
+     * @link http://php.net/manual/en/sessionhandlerinterface.write.php
+     * @param string $session_id The session id.
+     * @param string $session_data <p>
+     * The encoded session data. This data is the
+     * result of the PHP internally encoding
+     * the $_SESSION superglobal to a serialized
+     * string and passing it as this parameter.
+     * Please note sessions use an alternative serialization method.
+     * </p>
+     * @return bool <p>
+     * The return value (usually TRUE on success, FALSE on failure).
+     * Note this value is returned internally to PHP for processing.
+     * </p>
+     * @since 5.4.0
+     */
+    public function write($session_id, $session_data)
+    {
+        $jwt = new JwtWrapper($this->serverName, $this->secretKey);
+        $data = $jwt->createJwtData($this->unSerializeSessionData($session_data), $this->timeOutMinutes * 60);
+        $token = $jwt->generateToken($data);
+
+        setcookie(self::COOKIE_PREFIX . $this->suffix, $token);
+
+        return true;
+    }
+
+    public function serializeSessionData($array)
+    {
+        $result = '';
+        foreach ($array as $key => $value) {
+            $result .= $key . "|" . serialize($value);
+        }
+
+        return $result;
+    }
+
+    public function unSerializeSessionData($session_data)
+    {
+        $return_data = array();
+        $offset = 0;
+        while ($offset < strlen($session_data)) {
+            if (!strstr(substr($session_data, $offset), "|")) {
+                throw new \Exception("invalid data, remaining: " . substr($session_data, $offset));
+            }
+            $pos = strpos($session_data, "|", $offset);
+            $num = $pos - $offset;
+            $varname = substr($session_data, $offset, $num);
+            $offset += $num + 1;
+            $data = unserialize(substr($session_data, $offset));
+            $return_data[$varname] = $data;
+            $offset += strlen(serialize($data));
+        }
+
+        return $return_data;
+    }
+}

webtest/destroy.php

@@ -0,0 +1,19 @@
+<?php
+
+require_once __DIR__ . "/../vendor/autoload.php";
+
+$handler = new \ByJG\Session\JwtSession('api.com.br', '1234567890');
+$handler->replaceSessionHandler(true);
+
+session_destroy();
+?>
+
+<h1>JwtSession Demo - Destroy whole session</h1>
+
+<div>
+    Now, your session is empty again.
+</div>
+
+<div>
+    Go back and check this page: <a href="index.php">Index</a>
+</div>

webtest/index.php

@@ -0,0 +1,29 @@
+<?php
+
+require_once __DIR__ . "/../vendor/autoload.php";
+
+$handler = new \ByJG\Session\JwtSession('api.com.br', '1234567890');
+$handler->replaceSessionHandler(true);
+
+?>
+
+<h1>JwtSession Demo</h1>
+
+<div>
+    Here the user just use the JwtSession as the session handler.
+    The $_SESSION handler current is:
+</div>
+
+<div>
+    <textarea cols="50" rows="20"><?php print_r($_SESSION);?>
+    </textarea>
+</div>
+
+<div>
+    Now, play with sessions:
+    <ul>
+        <li><a href="setsession.php">Set a session</a></li>
+        <li><a href="unsetsession.php">Unset a session</a></li>
+        <li><a href="destroy.php">Destroy all session</a></li>
+    </ul>
+</div>

webtest/setsession.php

@@ -0,0 +1,23 @@
+<?php
+
+require_once __DIR__ . "/../vendor/autoload.php";
+
+$handler = new \ByJG\Session\JwtSession('api.com.br', '1234567890');
+$handler->replaceSessionHandler(true);
+
+$count = intval($_SESSION['count']) + 1;
+
+$_SESSION['count'] = $count;
+$_SESSION['setvalue_' . $count] = 'Set at date ' . date('Y-m-d H:i:s');
+
+?>
+
+<h1>JwtSession Demo - Set Session</h1>
+
+<div>
+    Everytime you reach this page I'll create a new key: setvalue1, setvalue2, ...
+</div>
+
+<div>
+    Go back and check this page: <a href="index.php">Index</a>
+</div>