Getting Started
Sessions
Set session_prefix in app/config.php. All session keys use this prefix to avoid collisions:
return [
'session_prefix' => 'strata_',
'token_expiry' => 3600,
'log_path' => __DIR__ . '/../storage/logs',
];Access it with a fallback:
$sessionPrefix = $config['session_prefix'] ?? 'app_';
$_SESSION[$sessionPrefix . 'user_id'] = $user->id;
$userId = $_SESSION[$sessionPrefix . 'user_id'] ?? null;CSRF Protection
App\TokenManager uses the same pattern. It reads session_prefix from $config and falls back to app_:
$sessionPrefix = $this->config['session_prefix'] ?? 'app_';Add to forms:
<input type="hidden" name="token" value="<?= App\TokenManager::csrf($config) ?>">Verify in controller:
use App\TokenManager;
$tm = new TokenManager($config);
$result = $tm->verify($_POST['token'] ?? '');
if ($result['status'] !== 'success') {
http_response_code(403);
exit('Invalid or expired CSRF token');
}