-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Ayrton Fidelis edited this page Oct 16, 2018
·
4 revisions
PHP Session. The way it should be.
PHPSess is a fully featured PHP Session Handler. Anyone can write a new driver to it, making it a breeze to store the session data in [ New Shiny and Fast DB ] or secure the data with [ New State of Art Encryption Library ].
It implements the PHP SessionHandlerInterface so that you can use the session as you always did:
the old and good $_SESSION superglobal and the session_ functions. Of course, if you want to
use the SessionHandler instance directly (eg. in the new shiny framework you're building),
that's fine too.
- Encrypts the session data in such a way that even if you have access to the session files, the source code AND the app-key, you wouldn't be able to decrypt it;
- Prevents session fixation: if a non-existent session-id is given, a new one is generated instead of accepting arbitrary ids from the request;
- Session locking: if two requests try to manipulate the session at the same time, one will have to wait for the session to be unlocked;
- Warn about insecure session ini settings.
Require the core Session Handler, the Storage and Encryption drivers:
composer require phpsess/session-handler phpsess/file-storage phpsess/openssl-encryption
<?php
use PHPSess\SessionHandler;
use PHPSess\Storage\FileStorage;
use PHPSess\Encryption\OpenSSlEncryption;
// Initialize the drivers:
$sessEncryption = new OpenSSLEncryption('a-strong-random-SECRET-app-key');
$sessStorage = new FileStorage();
// Create a instance of the Session Handler
$sessionHandler = new SessionHandler($sessEncryption, $sessStorage);
// Register the custom SessionHandler to the PHP engine
session_set_save_handler($sessionHandler);
// After that you can use the build in `session_` functions `$_SESSION` superglobal as always:
session_start();
$_SESSION['some_user_data'] = 'test/example data';
echo $_SESSION['some_user_data'];