validation of session cookie

Question

validation of session cookie

Closed this issue 5 years ago · 8 comments

I haven't been able to find a method for validating the session slsession cookie without extracting the token and using the JWT library directly.

I see a hasChanged() method, but it isn't obvious what this is referring to. Changing the signature of the sent cookie still returns false.

Is this missing functionality, or out of scope for the library?

Answer 1 · 2020-01-26T15:32:02.000Z

The cookie is already validated?

Answer 2 · 2020-01-26T15:35:02.000Z

What is observed when the token doesn't pass validation? Sorry if I'm thick, I just can't see it.

Answer 3 · 2020-01-26T15:36:48.000Z

https://github.com/psr7-sessions/storageless/blob/5.1.0/test/StoragelessTest/Http/SessionMiddlewareTest.php#L363

Answer 4 · 2020-01-26T16:33:31.000Z

So there is no exception or error raised when the token doesn't validate? No flag to check?

Answer 5 · 2020-01-26T16:36:26.000Z

Correct: the dispatch will continue, but without a valid session: any session operations will lead to a new session

Answer 6 · 2020-01-26T16:43:57.000Z

Ahh, okay, so it discards the invalid token and creates a new one, which I think is the behavior of PHP session_start if it doesn't recognize the session ID.

Answer 7 · 2020-01-26T16:46:02.000Z

Kinda similar, yes. Does that clear everything up? In theory, we tested every corner of this lib accurately, to prevent behaviour that isn't explicitly documented in test cases

Answer 8 · 2020-01-26T16:48:35.000Z

Yes, I think so. No magic, just a session cookie passed back and forth with automatic disposal of invalid sessions. :)