Super-simple library for secure PHP session handling
- PHP 5.6+
secsesh.phpon your server. You can rename it.
- Configure the options at the top of the file.
- Add this to the top of all your files:
- All done!
- Fingerprint-checking to prevent session hijacking
- Single-file library
- Idle-time timeouts
- Easy configuration and implementation
SecSesh creates a fingerprint when the session is initialized and cross-checks against this each time a page is accessed. If the fingerprint doesn't match, the session is destroyed. The fingerprint is a combination of the user's User Agent and IP address.
This is what initializes the session. It creates the fingerprint and starts the idle timeout timer. It should be called after
session_start(). It takes no arguments.
This is destroys a session. It takes no arguments.
This checks whether a session is active. It returns
true if the session hasn't timed out and the fingerprint hasn't changed. Takes no arguments.
Usage examples: see https://gist.github.com/rahuldottech/c9dc9195af5c48ec25af63459fb9f6d9
- You should be using SSL, because this library won't provide you much protection otherwise, except maybe some against session hijacking through the fingerprinting technique.
v0.1: Initial version
v0.2: Renamed variables
v1.0: Rewritten to use
v1.1: Removed prefix from function names
Create an Issue or tweet to me at @rahuldottech