Cookie Session Model

The Cookie Session Model content type implements the Login Policy Session Model.

Fields

Title - Human-friendly name.
Description - Short description of the login model and how it can be used.
Package - Defines the package where the PHP class implementation is for this feature. If not specified, defaults to the content type PHP implementation.
Class Name - Defines the fully qualified PHP class name of the PHP class implementation for this feature. If not specified, defaults to the content type PHP implementation.
Application - General session options that apply across specific session implementations.
- Inactive Seconds - The number of seconds of inactivity before a user's session should expire. 0 indicates unlimited session inactivity expiration.
- Allow Remember Me - Set this field to enable 'remember me' functionality, which will allow cross-browser sessions with an expiration based on Inactive Seconds.
  - Controller Enabled: can be set through the login controller based on user input.
  - Always Remembered: All sessions will be treated as cross-browser sessions automatically.
  - Never Remembered: sessions will always expire with the browser and enabling through the controller will result in an error.
Cookies - Configuration options specific to browser cookies.
- Name - The name of the session ID in the browser cookie. Defaults to PHPSESSID.
- Path - Path on the domain where the cookie will work. Slash indicates all paths on the domain.
- Domain - Cookie domain, for example 'www.yourdomain.com'. To make cookies visible on all subdomains then the domain must be prefixed with a dot like '.yourdomain.com'. Leave blank to automatically set to the current domain.
- Secure - If checked, cookies will only be sent over secure connections. Defaults to Off.
- HTTP Only - If checked, marks the cookie as accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).
- Strict Mode - If this mode is enabled, the module does not accept uninitialized session ID. If uninitialized session ID is sent from browser, new session ID is sent to browser. Applications are protected from session fixation via session adoption with strict mode.
- Same Site - Sets the SameSite cookie value for the cookie created by this session. Allows servers to assert that a cookie ought not to be sent along with cross-site requests. This assertion allows user agents to mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks. Note that this is not supported by all browsers. See this and this for more information.
  - Strict - the cookie will not be sent for any cross-domain requests, even when navigating to the target site with a regular link.
  - Lax - the cookie will not be passed for any cross-domain requests unless it's a regular link that navigates user to the target site. Other requests methods (such as POST and PUT) and XHR requests will not contain this cookie.
  - None - browsers will not enforce SameSite rules. Even if browsers start to treat cookies without this flag present as Lax (which is the case for Chrome 80 and later), setting None will disable this protection.
  - Server Default - will defer to the setting in the PHP ini file, which can be Strict, Lax, None, or blank. If blank, no SameSite setting will be sent, however browsers may then defer to a previous non-empty value received from the server in this case.
Sessions - Configuration options regarding how session data is stored in the file system.
- Path Depth - If not 0, session files will be automatically distributed according to the first (or optionally second) session ID character, to increase performance by reducing the number of files in a single directory. A value above 2 is not recommended, as this can require a very large (64ⁿ) number of inodes to store these files.