Skip to content
docsv0.1.0

SessionStore

Where sessions live — the storage seam for opaque, revocable, expiring server-side sessions. This is the package's central act of restraint: auth defines *what* it needs from storage (read a record by id, write one, destroy one) and a downstream package decides *how* — a `milpa/data` backend, Redis, a database table. Auth never reaches for a database of its own. Implementations MUST be fail-closed on read: {@see self::read()} returns `null` not only for an absent id but for any record that is no longer valid (expired or revoked), so a stale session can never resurrect an actor.

SessionStore::read()

abstract public function read(string $sessionId): ?Milpa\Auth\SessionRecord

The session stored under `$sessionId`, or `null` when none is stored — or when the stored one is no longer valid (expired or revoked). Fail-closed: an invalid session reads as absent.

Parameters

Parameters of read()
NameTypeDescription
$sessionIdstring

SessionStore::write()

abstract public function write(Milpa\Auth\SessionRecord $session): void

Persists `$session`, keyed by its {@see SessionRecord::$id} — issuing a new session or replacing an existing one under the same id.

Parameters

Parameters of write()
NameTypeDescription
$sessionMilpa\Auth\SessionRecord

SessionStore::destroy()

abstract public function destroy(string $sessionId): void

Removes the session stored under `$sessionId` — the hard revocation path. A no-op when none is stored.

Parameters

Parameters of destroy()
NameTypeDescription
$sessionIdstring