Getting Started

Minimal Setup

Installation Add the bundle via Composer:

composer require eesnaola/sid-authentication-bundle

Enable it in config/bundles.php:

return [
    // ...
    Eesnaola\SidAuthenticationBundle\SidAuthenticationBundle::class => ['all' => true],
];

Configuration Publish the default config:
```
php bin/console sid-authentication:install
```
Update config/packages/sid_authentication.yaml (e.g., adjust session_id_name or cookie_lifetime).

First Use Case Authenticate via a session ID (SID) in a controller:

use Symfony\Component\HttpFoundation\Request;
use Eesnaola\SidAuthenticationBundle\Security\SidAuthenticator;

public function login(Request $request, SidAuthenticator $authenticator)
{
    $sid = $request->cookies->get('SID');
    $user = $authenticator->authenticateBySid($sid);
    // Handle user or redirect
}

Implementation Patterns

Workflows

Session-Based Auth

Use SidAuthenticator to validate SIDs in security.yaml:

firewalls:
    main:
        sid_authentication:
            sid_parameter: SID

Extend SidUserProvider to fetch users from your DB:

class CustomSidUserProvider extends SidUserProvider
{
    public function loadUserBySid($sid): ?User
    {
        return $this->userRepository->findBy(['sid' => $sid]);
    }
}

Cookie Management

Generate SIDs with SidGenerator:

$sid = $this->sidGenerator->generate();
$response->headers->setCookie(new Cookie('SID', $sid, time() + 3600));

Clear SIDs on logout:

$response->headers->clearCookie('SID');

Integration with Symfony Security
- Use the sid_authentication firewall in security.yaml to auto-validate SIDs.
- Customize the sid_authentication entry point:
```
sid_authentication:
    sid_parameter: CUSTOM_SID_COOKIE
    user_provider: App\Security\CustomSidUserProvider
```

Common Use Cases

API Tokens: Replace JWTs with SID cookies for stateless APIs.
Legacy Systems: Migrate old session-based auth to Symfony.
Third-Party Logins: Share SIDs across subdomains via SameSite/Secure cookie flags.

Gotchas and Tips

Pitfalls

Alpha Software
- Expect breaking changes; avoid in production without thorough testing.
- Override bundle classes (e.g., SidAuthenticator) to stabilize behavior.
Session ID Collisions
- Ensure sid_generator (default: random_bytes) produces unique IDs.
- Validate SIDs against a blacklist if replay attacks are a risk.

Cookie Security

Always set secure: true and httponly: true in sid_authentication.yaml:

sid_authentication:
    cookie_options:
        secure: true
        httponly: true
        samesite: 'Strict'

User Provider Quirks
- Implement loadUserBySid() to return null for invalid SIDs (avoid exceptions).
- Cache user lookups if loadUserBySid() is DB-bound.

Debugging

Log SID Validation: Enable debug mode and check monolog for SidAuthenticator logs.
Cookie Inspection: Use browser dev tools to verify SID cookie presence/values.

Event Listeners: Subscribe to sid_authentication.success/sid_authentication.failure events:

services:
    App\EventListener\SidAuthListener:
        tags:
            - { name: kernel.event_listener, event: sid_authentication.success, method: onAuthSuccess }

Extension Points

Custom SID Storage Replace SidStorageInterface to store SIDs in Redis/DB:

class RedisSidStorage implements SidStorageInterface
{
    public function save($sid, User $user): void
    {
        Redis::set("sid:$sid", $user->getId());
    }
}

Multi-Factor SID Auth Combine with SecurityBundle to require SID + password:

firewalls:
    main:
        custom_form:
            login_path: /login
            check_path: /login_check
        sid_authentication: ~

Rate Limiting Use Symfony\Security\Http\Firewall\RateLimiter to block SID brute-force:
```
sid_authentication:
    rate_limiter: 'authentication_rate_limiter'
```

Sid Authentication Bundle Laravel Package