-
Notifications
You must be signed in to change notification settings - Fork 0
Cookie Adapter
InitPHP\Sessions\Adapters\CookieAdapter stores the entire session payload
in an encrypted, base64-encoded cookie on the client. There is no server-side
storage at all — ideal for stateless/horizontally-scaled servers.
Requirements:
initphp/encryption
(composer require initphp/encryption) and ext-openssl.
The payload is encrypted with AES-256-CTR + SHA-256 (via initphp/encryption's
OpenSSL handler) before it ever leaves the server, so the client can hold the
data but cannot read or tamper with it.
| Option | Type | Default | Notes |
|---|---|---|---|
name |
string | — | Required. Cookie name. |
key |
string | — | Required. Encryption key. Treat as a secret. |
ttl |
int | 86400 |
Cookie lifetime in seconds. |
path |
string | / |
Cookie path. |
domain |
string | '' |
Cookie domain. |
secure |
bool | false |
Send only over HTTPS. |
httponly |
bool | true |
Hide from JavaScript. |
samesite |
string | Lax |
Lax, Strict, or None. |
Missing name/key throws a SessionInvalidArgumentException;
a missing initphp/encryption library throws a
SessionNotSupportedAdapter.
use InitPHP\Sessions\Session;
use InitPHP\Sessions\Adapters\CookieAdapter;
$adapter = new CookieAdapter([
'name' => 'app_session',
'key' => getenv('SESSION_KEY'), // keep this secret & stable
'ttl' => 86400,
'secure' => true,
'httponly' => true,
'samesite' => 'Strict',
]);
Session::createImmutable($adapter)->start();-
Confidentiality & integrity come from
initphp/encryption. A cookie that has been tampered with, corrupted, or encrypted with a differentkeyfails to decrypt and is treated as an empty session (no exception is thrown). -
keyrotation invalidates all existing cookies — rotate deliberately. -
secure/httponly/samesitedefault to safe-ish values (httponlyon,samesite=Lax); setsecure => truein production (HTTPS) and considersamesite => 'Strict'for sensitive apps.
- Size. Cookies are capped (~4 KB per cookie by browsers). Keep the payload small — store an id or a few flags, not large objects.
- Every response re-sends the cookie, so it travels on each request. Don't put large or rarely-changing data here.
-
keymust be stable across your fleet, or users on a different server will appear logged out.
If you need to store more than a few small values, use a server-side adapter (Redis, PDO, MongoDB) instead.
initphp/sessions · MIT License · part of the InitPHP family
Source · Issues · Discussions · Packagist · Contributing · Security Policy
Getting Started
Core Usage
Adapters
- Adapters Overview
- File Adapter
- Redis Adapter
- PDO Adapter
- Cookie Adapter
- Memcache / Memcached Adapter
- MongoDB Adapter
- Custom Adapters
Reference
Practical Guides
Migration & Help