PHPackages session-handler-cookie/session-handler-cookie - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. session-handler-cookie/session-handler-cookie ActiveLibrary session-handler-cookie/session-handler-cookie ============================================= HMAC Cookie Sessions for PHP 5.4 v2.0.0.x-dev(11y ago)4423014[3 issues](https://github.com/stevecorona/SessionHandlerCookie/issues)[1 PRs](https://github.com/stevecorona/SessionHandlerCookie/pulls)MITPHPPHP >=5.4.0 Since Jan 5Pushed 3y ago1 watchersCompare [ Source](https://github.com/stevecorona/SessionHandlerCookie)[ Packagist](https://packagist.org/packages/session-handler-cookie/session-handler-cookie)[ Docs](https://github.com/stevecorona/SessionHandlerCookie)[ RSS](/packages/session-handler-cookie-session-handler-cookie/feed)WikiDiscussions master Synced 6d ago READMEChangelogDependencies (1)Versions (2)Used By (0) Cookie Session Handler for PHP ============================== [](#cookie-session-handler-for-php) This library adds HMAC-Based Cookie sessions to PHP 5.4+ Cookie Session Handler is a short, but useful piece of code that I've decided to open source from my book, [Scaling PHP Applications](http://scalingphpbook.com). Sessions are a major source of scaling pains in PHP. By default, session data is stored on the filesystem in PHP, which doesn't scale horizontally as you add more servers (without sticky sessions or NFS). Typically, the way we solve this is by moving sessions to the database or memcached/redis. This punts the problem, but can cause high database load. Session Data in the Cookie -------------------------- [](#session-data-in-the-cookie) What if we could store the session data in the cookie? It'd -easily- solve the scaling problem, but you'd have to worry about data tampering— remember, cookie data is not sercure and can be modified by the user. We solve the data integrity problem the same way as many other popular frameworks (i.e, Rails) by storing the cookie data with an HMAC token. ### How does it work? [](#how-does-it-work) PHP 5.4 adds the [`SessionHandlerInterface`](http://php.net/manual/en/class.sessionhandlerinterface.php) which allows for custom PHP session handlers. It's easy to use and plug-and-play and it works transparently with the native session interface, through the `$_SESSION` global variable. HMAC ---- [](#hmac) This library uses [PHP's Hash Extension](http://php.net/manual/en/book.hash.php) (bundled with PHP as of 5.1.2). By default, it uses `sha512`, but you can change it to any [hashing alogrithm supported](http://php.net/manual/en/function.hash-algos.php). To make this all work, you need to provide a secret that's used for the HMAC. By default, a very weak and predictable secret is used, and you should change it to your own secret. Example Usage ------------- [](#example-usage) ```