Skip to content
docsv0.1.0

StartSession

The PSR-15 middleware that resolves the *cookie* credential channel: it reads the session id from the configured cookie, looks it up in the {@see SessionStore}, and attaches the resulting {@see AuthContext} under {@see AuthenticateMiddleware::ATTRIBUTE}. A live session becomes {@see AuthContext::authenticated()}; anything else — no cookie, an unknown id, or a session the store reports as expired or revoked — becomes {@see AuthContext::anonymous()}. Like {@see AuthenticateMiddleware} it only *produces* a context and never throws: the fail-closed decision belongs to {@see RequireScopeMiddleware} downstream, so this composes BEFORE the guard. It carries no clock of its own — {@see SessionStore::read()} is contractually fail-closed (it returns `null` for an expired or revoked record), so a `null` read is the single "not a live session" signal this middleware needs.

StartSession::__construct()

public function __construct(Milpa\Auth\Contracts\SessionStore $store, string $cookieName = 'milpa_session'):

Parameters

Parameters of __construct()
NameTypeDescription
$storeSessionStorewhere sessions are read from — the storage seam this middleware trusts to be fail-closed
$cookieNamestringthe cookie the opaque session id travels in

StartSession::process()

public function process(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Server\RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface

Resolves the session cookie to an {@see AuthContext}, attaches it under {@see AuthenticateMiddleware::ATTRIBUTE}, and passes the request on — authenticated for a live session, anonymous for everything else.

Parameters

Parameters of process()
NameTypeDescription
$requestPsr\Http\Message\ServerRequestInterface
$handlerPsr\Http\Server\RequestHandlerInterface