Skip to content
docsv0.1.0

SessionRecord

A persisted session: the plain, storage-agnostic shape a {@see Contracts\SessionStore} reads and writes. It records who the session belongs to ({@see self::$actorId}, {@see self::$actorType}) and what it grants ({@see self::$scopes}, {@see self::$claims}), plus the lifetime facts that decide whether it may still be trusted — its {@see self::$expiresAt} and its {@see self::$revoked} flag. It carries no storage concern of its own; {@see self::toActor()} projects it back into the live {@see Actor} the policy layer authorises against. Immutable by construction.

SessionRecord::__construct()

public function __construct(string $id, string $actorId, Milpa\Auth\ActorType $actorType, DateTimeImmutable $createdAt, DateTimeImmutable $expiresAt, array $scopes = [], array $claims = [], bool $revoked = false):

Parameters

Parameters of __construct()
NameTypeDescription
$idstringthe opaque session id (the value behind the cookie/token)
$actorIdstringthe {@see Actor::$id} this session belongs to
$actorTypeActorTypethe {@see Actor::$type} this session belongs to
$createdAt\DateTimeImmutablewhen the session was issued
$expiresAt\DateTimeImmutablewhen the session stops being valid
$scopeslist<string>the permissions the session grants its actor
$claimsarray<string, mixed>everything else to rehydrate onto the {@see Actor}
$revokedboolwhether the session was explicitly revoked before expiry

SessionRecord::isExpired()

public function isExpired(DateTimeImmutable $now): bool

Whether this session has expired as of `$now` — true once `$now` reaches or passes {@see self::$expiresAt}. The clock is the caller's to supply, never read ambiently, so expiry is deterministic and testable.

Parameters

Parameters of isExpired()
NameTypeDescription
$nowDateTimeImmutable

SessionRecord::isValid()

public function isValid(DateTimeImmutable $now): bool

Whether this session may still be trusted as of `$now`: neither expired ({@see self::isExpired()}) nor {@see self::$revoked}. Fail-closed — anything that is not provably still valid is invalid.

Parameters

Parameters of isValid()
NameTypeDescription
$nowDateTimeImmutable

SessionRecord::toActor()

public function toActor(): Milpa\Auth\Actor

Projects this record into the live {@see Actor} the policy layer authorises against, carrying the session's actor id, type, scopes, and claims. Validity is checked separately via {@see self::isValid()} — projecting a record does not, on its own, assert it is still good.