spomky-labs/dbsc-bundle
Composer 安装命令:
composer require spomky-labs/dbsc-bundle
包简介
Device Bound Session Credentials (DBSC) for Symfony - protect sessions from cookie theft with hardware-bound keys.
关键字:
README 文档
README
DBSC Bundle
Device Bound Session Credentials (DBSC) for Symfony. It protects authenticated sessions from cookie theft by binding them to a hardware-backed private key (TPM) held by the user's browser.
Status: early work in progress. The DBSC specification is still a draft shipping behind a Chrome origin trial, so header names and payloads may change.
What it does
DBSC complements your existing authentication (passwords, WebAuthn, SSO). It does not change how users log in: it hardens the credential that follows. After login the browser generates a device-bound key pair and proves possession of it periodically, so a stolen cookie replayed from another machine stops working. The browser drives all the cryptography; the server side is one response header plus two endpoints, all provided by this bundle. Browsers without DBSC support degrade gracefully.
Installation
composer require spomky-labs/dbsc-bundle
Getting started
In additive mode a short, device-bound cookie is issued alongside your existing session, which stays authoritative. You opt in at login and allow the two endpoints; the firewall is unchanged.
When you are ready, DBSC can take over the long-lived credential (the remember-me role) with a
single firewall key (device_bound_session: true).
See Adoption modes for both, including the opt-in badge and the access control to define.
Documentation
Full documentation lives in doc/:
- Concepts and security model
- Installation
- Configuration reference
- Adoption modes
- Migrating from remember-me
- Protocol and endpoints
- Production storage
- Extending the bundle
License
MIT. See LICENSE.
统计信息
- 总下载量: 1
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 2
- 点击次数: 0
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-06-02