Super-simple library for secure PHP session handling
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE
README.md
secSesh.php

README.md

secSesh

Super-simple library for secure PHP session handling
Current version: 1.2
License: MIT License

Requirements

  1. PHP 5.6+

Installation

  1. Save secsesh.php on your server. You can rename it.
  2. Configure the options at the top of the file.
  3. Add this to the top of all your files: require 'secsesh.php';
  4. All done!

Features

  1. Fingerprint-checking to prevent session hijacking
  2. Single-file library
  3. Idle-time timeouts
  4. Easy configuration and implementation

Fingerprints

SecSesh creates a fingerprint when the session is initialized and cross-checks against this each time a page is accessed. If the fingerprint doesn't match, the session is destroyed. The fingerprint is a combination of the user's User Agent and IP address.

Functions

\secSesh\start()

This is what initializes the session. It creates the fingerprint and starts the idle timeout timer. It should be called after session_start(). It takes no arguments.

\secSesh\end()

This is destroys a session. It takes no arguments.

\secSesh\check()

This checks whether a session is active. It returns true if the session hasn't timed out and the fingerprint hasn't changed. Takes no arguments.

Implementation

Usage examples: see https://gist.github.com/rahuldottech/c9dc9195af5c48ec25af63459fb9f6d9

Misc. Considerations

  1. You should be using SSL, because this library won't provide you much protection otherwise, except maybe some against session hijacking through the fingerprinting technique.

Changelog

  • v0.1: Initial version
  • v0.2: Renamed variables
  • v1.0: Rewritten to use \secSesh\ namespace
  • v1.1: Removed prefix from function names
  • v1.2: Bugfixes

Report Bugs

Create an Issue or tweet to me at @rahuldottech