Adds a session handler that tries storing the session in an encrypted cookie when possible, and if not (
because the session is too large, or headers have already been set) stores it in the database.
This allows using SilverStripe on multiple servers without sticky sessions (as long as you solve other
multi-server issues like asset storage and databases).
composer require silverstripe/hybridsessions:*
// Ensure that you define a sufficiently indeterminable value for SS_SESSION_KEY in your `.env` use SilverStripe\HybridSessions\HybridSession; HybridSession::init(SS_SESSION_KEY);
As long as the key is unguessable and secret, generally this should be as secure as server-side-only cookies. The one
exception is that cookie sessions are vulnerable to replay attacks. This is only a problem if you're storing stuff you
shouldn't in the session anyway, but it's important you understand the issue. Ruby on rails has good documentation of
the issue at http://guides.rubyonrails.org/security.html#replay-attacks-for-cookiestore-sessions
This module ships with two default cryptographic handlers:
OpenSSLCrypto: uses the OpenSSL library (default).
McryptCrypto: uses the mcrypt library. Please note that this is
You can also implement your own cryptographic handler by creating a class that implements the
To configure the active handler, add YAML configuration to your project:
--- Name: myappsessionstores After: sessionstores --- SilverStripe\HybridSessions\HybridSession: SilverStripe\HybridSessions\Crypto\CryptoHandler: class: MyCustomCryptoHandler
This module is not fully compatible with the
testsession module, as the database
store is not available prior to DB connectivity, which uses the session to dictate DB connections.
Data smaller than 1000 bytes may still be stored via the cookie store, but larger data sets will be lost.
Module rating system helping users find modules that are well supported. For more on how the rating system works visit Module standards
Score not correct? Let us know there is a problem