But what when we have a scenario where user’s information is being managed by a third party service and no user information is being saved on Drupal? And when the authentication is done via some other third party services? How can we manage cookie in this case to run our site session and also keep it secure?
One is way is to set and maintain cookie on our own. In this case, our user’s will be anonymous to Drupal. So, we keep session running based on cookies! The user information will be stored in cookie itself, which then can be validated when a request is made to Drupal.
We have a php function to set cookie called setCookie() , which we can use to create and destroy cookie. So, the flow will be that a user login request which is made to website is verified via a third party service and then we call setCookie function which sets the cookie containing user information. But, securing the cookie is must, so how do we do that?
For this, let’s refer to Bakery module to see how it does it. It contains functions for encrypting cookie, setting it and validating it.
To achieve this in Drupal 8, we will write a helper class let’s say “UserCookie.php” and place it in ‘{modulename}/src/Helper/’. Our cookie helper class will contain static methods for setting cookie and validating cookie. Static methods so that we will be able to call them from anywhere.
We will have to encrypt cookie before setting it so we will use openssl_encrypt() php function in following manner:
- String parameter in openssl_digest can be replaced with any string you feel like that can be used as key. You can keep simple keyword too.
- Key used should be same while decryption of data.
- Same initialization vector will be needed while decrypting the data, so to retrieve it back we append this along with cookie data string.
- We also add a signature which is generate used the same key used above. We will verify this key while validating cookie.
- Finally, we encode both signature and encrypted cookie data together.
For setting cookie:
Note: You can keep 'SOME_COOKIE_KEY' and 'SOME_DEFAULT_COOKIE_EXPIRE_TIME' in your settings.php. Settings::get() will fetch that for you.
Tip: You can also append and save expiration time of cookie in encrypted data itself so that you can also verify that at time of decryption. This will stop anyone from extending the session by setting cookie timing manually.
Congrats! We have successfully encrypted the user data and set it into a cookie.
Now let’s see how we can decrypt and validate the same cookie.
To decrypt cookie:
- We generate the same key using same string parameter given while encryption.
- Then we reverse base64 encoding as we need extract signature to verify it.
- We generate same signature again as we have used the same key which was used to creating signature while encryption. If doesn’t signatures doesn’t matches, validation fails!
- Else, we extract initialization vector from the encrypted data and use to decrypt the data return to be utilized.
We can verify cookie on requests made to website to maintain our session. You can implement function for expiring cookie for simulating user logout. We can also use decrypted user data out of cookie for serving user related pages.We are in an era where we see a lots of third party integrations being done in projects. In Drupal based projects, cookie management is done via Drupal itself to maintain session, whether it be a pure Drupal project or decoupled Drupal project,.