Implement Authkit Sessions #315
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Greptile Summary
Important Files Changed
Confidence score: 4/5
Sequence DiagramsequenceDiagram
participant User
participant App
participant CookieSession
participant UserManagement
participant HaliteSessionEncryption
participant WorkOSAPI
User->>App: "Request with session cookie"
App->>UserManagement: "getSessionFromCookie(cookiePassword)"
UserManagement->>UserManagement: "Extract cookie from $_COOKIE"
UserManagement->>UserManagement: "loadSealedSession(sealedSession, cookiePassword)"
UserManagement->>CookieSession: "new CookieSession(userManagement, sealedSession, cookiePassword)"
App->>CookieSession: "authenticate()"
CookieSession->>UserManagement: "authenticateWithSessionCookie(sealedSession, cookiePassword)"
UserManagement->>HaliteSessionEncryption: "unseal(sealedSession, cookiePassword)"
HaliteSessionEncryption-->>UserManagement: "sessionData"
UserManagement->>WorkOSAPI: "POST user_management/sessions/authenticate"
WorkOSAPI-->>UserManagement: "authentication response"
UserManagement-->>CookieSession: "SessionAuthenticationSuccessResponse"
CookieSession-->>App: "authentication result"
App-->>User: "authenticated response"
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Author
birdcar
force-pushed
the
birdcar/session-implementation
branch
2 times, most recently
from
c80a0ed to
19d649b
Compare
Author
|
This doesn't have to wait, but it would likely be beneficial to wait until #316 merges so I can update the new |
dandorman
reviewed
Jan 15, 2026
dandorman
left a comment
dandorman
left a comment
There was a problem hiding this comment.
This seems good to me, outside of a couple nits. (And i am woefully out of date on my PHP knowledge, so take anything i say with a grain of salt.)
The code looks good, Halite seems like a reasonable choice for an encryption library. I think that is my sole caveat with this PR. It does indeed bring the PHP SDK closer to how the others operate, but that includes the sealed session stuff i think we're hoping to deprecate. Most frameworks provide their own way to encrypt and/or sign cookies, there's little reason for us to add our own layer. Additionally, this creates another island of un-interoperability, where sessions sealed in one platform can't easily be unsealed in another. (cc @cmatheson , who has more thoughts/knowledge on the matter)
Would it be possible to make the sealed-session stuff optional? I don't want to overburden you, but @nicknisi has done some excellent work at paving the way to make session backing more plugin in the JS world.
But if we're not interested in pursuing any of that now, let me know. I don't want to hold this up if we'd rather get parity.
Author
@dandorman everything is possible and "pairity" is only one concern. I'm happy to wait and discuss, I just figured I'd use whatever skills I could to push the SDKs to unity (and, selfishly, I want to be able to use this specific feature in my own projects) |
Add paragonie/halite ^4.0 for PHP 7.3+ compatible symmetric encryption. This library provides libsodium-based encryption for session data.
Add Session resource class for representing user sessions with properties: id, userId, ipAddress, userAgent, organizationId, authenticationMethod, status, expiresAt, endedAt, createdAt, updatedAt.
Add SessionAuthenticationFailureResponse with failure reason constants: - NO_SESSION_COOKIE_PROVIDED - INVALID_SESSION_COOKIE - ENCRYPTION_ERROR - HTTP_ERROR Add SessionAuthenticationSuccessResponse with full session data including user, tokens, organization, roles, permissions, entitlements, and impersonator.
Add SessionEncryptionInterface defining seal/unseal contract for session encryption providers. Add HaliteSessionEncryption implementing libsodium-based symmetric encryption with HKDF key derivation and TTL validation. Default TTL is 30 days to match WorkOS session lifetime. Include comprehensive tests for encryption, TTL expiration, wrong password handling, and data integrity.
Add SigningOnlySessionHandler as an alternative to full encryption. Uses HMAC-SHA256 for integrity verification without encrypting the payload. Suitable for TLS-only environments where encryption overhead is undesirable. Includes version field for future compatibility, TTL validation, and constant-time signature comparison to prevent timing attacks.
Add session management methods: - listSessions: List sessions for a user with pagination - revokeSession: Revoke a specific session - authenticateWithSessionCookie: Validate sealed session cookies - loadSealedSession: Create CookieSession from sealed data - getSessionFromCookie: Extract session from HTTP cookies Support injectable SessionEncryptionInterface for custom encryption providers, defaulting to HaliteSessionEncryption.
Add CookieSession for high-level session management: - authenticate: Validate session and return user data - refresh: Refresh expired tokens and return raw tokens for re-sealing - getLogoutUrl: Generate logout URL for the session Designed to match workos-node CookieSession behavior. Sealing tokens is the responsibility of the calling code (e.g., authkit-php).
birdcar
force-pushed
the
birdcar/session-implementation
branch
from
4971150 to
36e0279
Compare
Author
Change catch blocks from \Exception to Exception\BaseRequestException to only catch HTTP-related errors from Client::request(). This prevents accidentally swallowing unrelated errors like TypeErrors or configuration issues that should bubble up for debugging. Addresses review feedback on PR #315.
dandorman
approved these changes
Jan 17, 2026
dandorman
left a comment
dandorman
left a comment
There was a problem hiding this comment.
Yeah, i guess it's not worth keeping our PHP friends out in the cold.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR implements AuthKit Sessions support for the PHP SDK, bringing it to parity with the Node, Python, and Ruby sdks.
Documentation
Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.
If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.