A security-first PHP session handler
PHP Session. The way it should be.
----- STILL IN DEVELOPMENT -----
PHPSess is a fully featured PHP Session Handler. Anyone can write a new driver to it, making it a breeze to store the session data in [ New Shiny and Fast DB ] or secure the data with [ New State of Art Encryption Library ].
It implements the PHP
SessionHandlerInterface so that you can use the session as you always did:
the old and good
$_SESSION superglobal and the
session_ functions. Of course, if you want to
SessionHandler instance directly (eg. in the new shiny framework you're building),
that's fine too.
- Encrypts the session data in such a way that even if you have access to the session files, the source code AND the app-key, you wouldn't be able to decrypt it;
- Prevents session fixation: if a non-existent session-id is given, a new one is generated instead of accepting arbitrary ids from the request;
- Session locking: if two requests try to manipulate the session at the same time, one will have to wait for the session to be unlocked;
- Warn about insecure session ini settings.
composer require phpsess/session-handler phpsess/file-storage phpsess/openssl-encryption
Init the drivers and pass them to the Session Handler:
use PHPSess\SessionHandler; use PHPSess\Storage\FileStorage; use PHPSess\Encryption\OpenSSlEncryption; $sessEncryption = new OpenSSLEncryption('a-strong-random-SECRET-app-key'); $sessStorage = new FileStorage();
Create a instance of the Session Handler and register it to the PHP engine:
$sessionHandler = new SessionHandler($sessEncryption, $sessStorage); session_set_save_handler($sessionHandler);
After registering you can use the build in
$_SESSION superglobal as always:
session_start(); $_SESSION['pass'] = 'mySecretP@ss123'; echo $_SESSION['pass'];