Encrypt and authenticate PHP session data using AES-256 and HMAC-SHA256
Switch branches/tags
Clone or download
Latest commit da686a3 Feb 1, 2018



Build Status Coverage Status


This project adds encryption to internal PHP save handlers. It uses OpenSSL extension to provide encryption with AES-256 and authentication using HMAC-SHA-256.

The SecureHandler class extends the default SessionHandler of PHP and it adds only an encryption layer on the internal save handler. The session management logic remains the same, that means you can use SecureSession with all the PHP session handlers like 'file', 'sqlite', 'memcache' or 'memcached' which are provided by PHP extensions.


You can install this library using composer with the following command:

composer require ezimuel/php-secure-session

After that the PHP-Secure-Session handler will be automatically executed in your project when consuming the vendor/autoload.php file.


You don't have to do nothing to consume this library, the SecureHandler is automatically registered with session_set_save_handler() during the composer autoload.

How it works

The session data are encrypted using a random key stored in a cookie variable starting with the prefix KEY_.

This random key is generated using the random_bytes() function of PHP 7. For PHP 5 versions we used the paragonie/random_compat project that is a polyfill for random_bytes().

We also generated a random authentication key stored in the same cookie variable. The value stored in the KEY_ cookie is the Base64 representation of the encryption key concatenated with the authentication key.


You can test the PHP-Secure-Session using the test/demo/index.php example. You can run the demo using the internal web server of PHP with the following command:

php -S -t test/demo

If you open the browser to localhost:8000 you will see the demo in action.

Copyright 2011-2018 by Enrico Zimuel

Released under the MIT License