Skip to content
New issue

9.0.0

Closed Jul 25, 2023 100% complete

This release moves the \PSR7Sessions\Storageless\Http\SessionMiddleware constructor parameters into a more robust and easy-to-use \PSR7Sessions\Storageless\Http\Configuration object with the following API:

use Dflydev\FigCookies\SetCookie;
use Lcobucci\Clock\Clock;
use Lcobucci\JWT\Configuration as JwtConfig;
use PSR7Sessions\Storageless\Http\ClientFinger…

This release moves the \PSR7Sessions\Storageless\Http\SessionMiddleware constructor parameters into a more robust and easy-to-use \PSR7Sessions\Storageless\Http\Configuration object with the following API:

use Dflydev\FigCookies\SetCookie;
use Lcobucci\Clock\Clock;
use Lcobucci\JWT\Configuration as JwtConfig;
use PSR7Sessions\Storageless\Http\ClientFingerprint\Configuration as FingerprintConfig;

/** @immutable */
final class \PSR7Sessions\Storageless\Http\Configuration
{
    public function __construct(JwtConfig $jwtConfiguration);

    public function withJwtConfiguration(JwtConfig $jwtConfiguration): self;
    public function withClock(Clock $clock): self;
    public function withCookie(SetCookie $cookie): self;
    /** @param positive-int $idleTimeout */
    public function withIdleTimeout(int $idleTimeout): self;
    /** @param positive-int $refreshTime */
    public function withRefreshTime(int $refreshTime): self;
    /** @param literal-string $sessionAttribute */
    public function withSessionAttribute(string $sessionAttribute): self;
    public function withClientFingerprintConfiguration(FingerprintConfig $clientFingerprintConfiguration): self;
}

Active sessions issued with v8 are compatible with the new v9: the changes are at the API level only.

A new configuration has been added to mitigate session hijacking attacks, see the documentation at https://github.com/psr7-sessions/storageless/tree/9.0.x#session-hijacking-mitigation

This is a major release and breaks backwards compatibility.

Specifically, following changes are relevant:

[BC] REMOVED: Constant PSR7Sessions\Storageless\Http\SessionMiddleware::DEFAULT_COOKIE was removed
[BC] REMOVED: Constant PSR7Sessions\Storageless\Http\SessionMiddleware::DEFAULT_REFRESH_TIME was removed
[BC] REMOVED: Method PSR7Sessions\Storageless\Http\SessionMiddleware::fromSymmetricKeyDefaults() was removed
[BC] REMOVED: Method PSR7Sessions\Storageless\Http\SessionMiddleware::fromRsaAsymmetricKeyDefaults() was removed
[BC] REMOVED: Method PSR7Sessions\Storageless\Http\SessionMiddleware::buildDefaultCookie() was removed
[BC] CHANGED: The parameter $configuration of PSR7Sessions\Storageless\Http\SessionMiddleware#__construct() changed from Lcobucci\JWT\Configuration to a non-contravariant PSR7Sessions\Storageless\Http\Configuration

This milestone is closed.

No open issues remain. View closed issues or see open milestones in this repository.