A security-first PHP session handler

dev-master 2018-10-15 19:51 UTC


PHP Session. The way it should be.

Build Status License Maintainability Test Coverage


PHPSess is a fully featured PHP Session Handler. Anyone can write a new driver to it, making it a breeze to store the session data in [ New Shiny and Fast DB ] or secure the data with [ New State of Art Encryption Library ].

It implements the PHP SessionHandlerInterface so that you can use the session as you always did: the old and good $_SESSION superglobal and the session_ functions. Of course, if you want to use the SessionHandler instance directly (eg. in the new shiny framework you're building), that's fine too.

What it does

  • Encrypts the session data in such a way that even if you have access to the session files, the source code AND the app-key, you wouldn't be able to decrypt it;
  • Prevents session fixation: if a non-existent session-id is given, a new one is generated instead of accepting arbitrary ids from the request;
  • Session locking: if two requests try to manipulate the session at the same time, one will have to wait for the session to be unlocked;
  • Warn about insecure session ini settings.

Quick Start

Require the core Session Handler, the Storage and Encryption drivers:

composer require phpsess/session-handler phpsess/file-storage phpsess/openssl-encryption

Init the drivers and pass them to the Session Handler:

use PHPSess\SessionHandler;
use PHPSess\Storage\FileStorage;
use PHPSess\Encryption\OpenSSlEncryption;

$sessEncryption = new OpenSSLEncryption('a-strong-random-SECRET-app-key');

$sessStorage = new FileStorage();

Create a instance of the Session Handler and register it to the PHP engine:

$sessionHandler = new SessionHandler($sessEncryption, $sessStorage);


After registering you can use the build in session_ functions $_SESSION superglobal as always:


$_SESSION['pass'] = 'mySecretP@ss123';
echo $_SESSION['pass'];