PHP Session. The way it should be.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


PHP Session. The way it should be.

Build Status License Maintainability Test Coverage


PHPSess is a fully featured PHP Session Handler. Anyone can write a new driver to it, making it a breeze to store the session data in [ New Shiny and Fast DB ] or secure the data with [ New State of Art Encryption Library ].

It implements the PHP SessionHandlerInterface so that you can use the session as you always did: the old and good $_SESSION superglobal and the session_ functions. Of course, if you want to use the SessionHandler instance directly (eg. in the new shiny framework you're building), that's fine too.

What it does

  • Encrypts the session data in such a way that even if you have access to the session files, the source code AND the app-key, you wouldn't be able to decrypt it;
  • Prevents session fixation: if a non-existent session-id is given, a new one is generated instead of accepting arbitrary ids from the request;
  • Session locking: if two requests try to manipulate the session at the same time, one will have to wait for the session to be unlocked;
  • Warn about insecure session ini settings.

Quick Start

Require the core Session Handler, the Storage and Encryption drivers:

composer require phpsess/session-handler phpsess/file-storage phpsess/openssl-encryption

Init the drivers and pass them to the Session Handler:

use PHPSess\SessionHandler;
use PHPSess\Storage\FileStorage;
use PHPSess\Encryption\OpenSSlEncryption;

$sessEncryption = new OpenSSLEncryption('a-strong-random-SECRET-app-key');

$sessStorage = new FileStorage();

Create a instance of the Session Handler and register it to the PHP engine:

$sessionHandler = new SessionHandler($sessEncryption, $sessStorage);


After registering you can use the build in session_ functions $_SESSION superglobal as always:


$_SESSION['pass'] = 'mySecretP@ss123';
echo $_SESSION['pass'];