The aura framework make use of Aura.Session package, which provides session management functionality, including session segments, read-once (“flash”) values, CSRF tools, and lazy session starting.
The controller doesn’t have
Aura\Session\Manager object. So let us add a
setSessionManager in the controller to make use of setter
And now we can get the object of
Aura\Session\Manager inside controller
and make use of it.
In-order to get session manager we need to create a view helper and
And once you are done with the configuration, you can get the
Aura\Session\Manger object within the view like
A session segment is a reference to an array key in the
superglobal. For example, if you ask for a segment named
segment will be a reference to
$_SESSION['ClassName']. All values in the
ClassName segment will be stored in an array under that key.
The benefit of a session segment is that we can deconflict the keys in the
$_SESSION superglobal by using class names (or some other unique name) for
the segment names. With segments, different packages can use the
superglobal without stepping on each other’s toes.
Merely instantiating the
Manager and getting a session segment does not
start a session automatically. Instead, the session is started only when you
read or write to a session segment. This means we can create segments at
will, and no session will start until we read from or write to one them.
If we read from a session segment, it will check to see if a previously available session exists, and reactivate it if it does. Reading from a segment will not start a new session.
If we write to a session segment, it will check to see if a previously available session exists, and reactivate it if it does. If there is no previously available session, it will start a new session, and write to it.
Of course, we can force a session start or reactivation by calling the
start() method, but that defeats the purpose of lazy-loaded
When you are done with a session and want its data to be available later, call
The aura framework already have a
commit() method at the end of the
commit()method is the equivalent of
session_write_close(). If you do not commit the session, its values will not be available when we continue the session later.
Any time a user has a change in privilege (that is, gaining or losing access rights within a system) be sure to regenerate the session ID:
regenerateId()method also regenerates the CSRF token value.
To clear the in-memory session data, but leave the session active, use the
To end a session and remove its data (both committed and in-memory), generally
after a user signs out or when authentication timeouts occur, call the
Session segment values persist until a session is cleared or destroyed. However, sometimes it is useful to set a value that propagates only until it is used, and then automatically clears itself. These are called “flash” or “read-once” values.
To set a read-once value on a segment, use the
Then, in subsequent sessions, we can read the flash value using
Sometimes we need to know if a flash value exists, but don’t want to read it
yet (thereby removing it from the session). In these cases, we can use the
To clear all flash values on a segment, use the
To defend against CSRF attacks, server-side logic should:
Place a token value unique to each authenticated user session in each form; and
Check that all incoming POST/PUT/DELETE (i.e., “unsafe”) requests contain that value.
N.b.: If our application uses GET requests to modify resources (which incidentally is an improper use of GET), we should also check for CSRF on GET requests from authenticated users.
For this example, the form field name will be
'__csrf_value''. In each form
we want to protect against CSRF, we use the session CSRF token value for that
When processing the request, check to see if the incoming CSRF token is valid for the authenticated user:
For a CSRF token to be useful, its random value must be cryptographically
secure. Using things like
mt_rand() is insufficient. Aura.Session comes with
Randval class that implements a
RandvalInterface, and uses either the
openssl or the
mcrypt extension to generate a random value. If you do not
have one of these extensions installed, you will need your own random-value
implementation of the
RandvalInterface. We suggest a wrapper around