StartSession
The PSR-15 middleware that resolves the *cookie* credential channel: it reads the session id from the configured cookie, looks it up in the {@see SessionStore}, and attaches the resulting {@see AuthContext} under {@see AuthenticateMiddleware::ATTRIBUTE}. A live session becomes {@see AuthContext::authenticated()}; anything else — no cookie, an unknown id, or a session the store reports as expired or revoked — becomes {@see AuthContext::anonymous()}. Like {@see AuthenticateMiddleware} it only *produces* a context and never throws: the fail-closed decision belongs to {@see RequireScopeMiddleware} downstream, so this composes BEFORE the guard. It carries no clock of its own — {@see SessionStore::read()} is contractually fail-closed (it returns `null` for an expired or revoked record), so a `null` read is the single "not a live session" signal this middleware needs.
StartSession::__construct()
public function __construct(Milpa\Auth\Contracts\SessionStore $store, string $cookieName = 'milpa_session'):Parameters
| Name | Type | Description |
|---|---|---|
| $store | SessionStore | where sessions are read from — the storage seam this middleware trusts to be fail-closed |
| $cookieName | string | the cookie the opaque session id travels in |
StartSession::process()
public function process(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Server\RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterfaceResolves the session cookie to an {@see AuthContext}, attaches it under {@see AuthenticateMiddleware::ATTRIBUTE}, and passes the request on — authenticated for a live session, anonymous for everything else.
Parameters
| Name | Type | Description |
|---|---|---|
| $request | Psr\Http\Message\ServerRequestInterface | |
| $handler | Psr\Http\Server\RequestHandlerInterface |