Experimental PHP implementation of Device Bound Session Credentials (DBSC).
This package is completely experimental.
Do not treat it as production-ready security infrastructure yet. APIs, behavior, and defaults may change quickly.
- PHP 8.4+
firebase/php-jwt(installed automatically via Composer)
composer require edituraedu/php-dbscEdituraEDU\\DBSC\\DBSCsingleton for DBSC flow handling- Start header emission (
Secure-Session-Registration) - Start endpoint verification (
Secure-Session-Response) - Refresh challenge/verification handling (
Secure-Session-Challenge,Sec-Secure-Session-Id) - Cookie + session guard enforcement
- Optional dependency injection for:
IDBSCLoggerIDBSCInvalidationHandler
<?php
use EdituraEDU\\DBSC\\DBSC;
DBSC::Initialize(__DIR__ . '/DBSCConfig.json');
// Emit registration header when client has no DBSC cookie yet:
if (!DBSC::GetInstance()->HasDBSCCookie()) {
DBSC::GetInstance()->SendStartHeader();
}<?php
use EdituraEDU\\DBSC\\DBSC;
const DBSC_START_REFRESH_FLOW = true;
DBSC::Initialize(__DIR__ . '/DBSCConfig.json');
echo json_encode(DBSC::GetInstance()->StartDBSCSession());<?php
use EdituraEDU\\DBSC\\DBSC;
const DBSC_START_REFRESH_FLOW = true;
DBSC::Initialize(__DIR__ . '/DBSCConfig.json');
DBSC::GetInstance()->Refresh();The package reads JSON config via DBSCConfig::LoadFromFile(...).
Start from src/DBSCConfig.json and adjust domains, paths, cookie flags, and endpoint paths for your environment.
DBSC::Initialize(...) accepts optional custom implementations:
IDBSCLoggerfor structured loggingIDBSCInvalidationHandlerfor custom cleanup when DBSC invalidates a session
If no logger is passed, DBSCLogger is used by default.
- Header normalization currently tolerates both raw and quoted DBSC header values for compatibility.
- This project is under active iteration, feedback and contributions are welcome!
MIT