This project adds encryption to internal PHP save handlers. It uses OpenSSL extension to provide encryption with AES-256 and authentication using HMAC-SHA-256.
The SecureHandler class extends the default
SessionHandler of PHP and
it adds only an encryption layer on the internal save handler.
The session management logic remains the same, that means you can use
SecureSession
with all the PHP session handlers like 'file', 'sqlite',
'memcache' or 'memcached' which are provided by PHP extensions.
You can install this library using composer with the following command:
composer require ezimuel/php-secure-session
After that the PHP-Secure-Session handler will be automatically executed in your
project when consuming the vendor/autoload.php
file.
You don't have to do nothing to consume this library, the SecureHandler is automatically registered with session_set_save_handler() during the composer autoload.
The session data are encrypted using a random key stored in a cookie variable
starting with the prefix KEY_
.
This random key is generated using the random_bytes()
function of PHP 7. For PHP 5 versions we used the paragonie/random_compat
project that is a polyfill for random_bytes()
.
We also generated a random authentication key stored in the same cookie variable.
The value stored in the KEY_
cookie is the Base64
representation of the encryption key concatenated with the authentication key.
You can test the PHP-Secure-Session using the test/demo/index.php example. You can run the demo using the internal web server of PHP with the following command:
php -S 0.0.0.0:8000 -t test/demo
If you open the browser to localhost:8000 you will see the demo in action.
Copyright 2017 by Enrico Zimuel
Released under the MIT License