PHPackages sobstel/sesshin - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. sobstel/sesshin ActiveLibrary[Security](/categories/security) sobstel/sesshin =============== PHP secure advanced session manager v1.2.0(8y ago)681.3k12MITPHPPHP >=5.4.0 Since Sep 27Pushed 4y ago10 watchersCompare [ Source](https://github.com/sobstel/sesshin)[ Packagist](https://packagist.org/packages/sobstel/sesshin)[ RSS](/packages/sobstel-sesshin/feed)WikiDiscussions master Synced 2w ago READMEChangelog (1)Dependencies (1)Versions (5)Used By (0) Sesshin ======= [](#sesshin) Object-oriented, extendable advanced session handling component written with security in mind that mitigates attacks like Session Hijacking, Session Fixation, Session Exposure, Sesion Poisoning, Session Prediction. Awarded 1st place in [php.pl contest](http://wortal.php.pl/phppl/Wortal/Spolecznosc/Konkursy/Konkurs-Pozyteczne-i-praktyczne-biblioteki-Wyniki). Features: - smart session expiry control - prevents session adoption, i.e. session ids generated only by the component are acceptable (strict model) - sends cookie only when session really created - session id rotation (anti session hijacking), based on time and/or number of requests - configurable: - unlike PHP native mechanism, you don't have to use cron or resource-consuming 100% garbage collecting probability to ensure sessions are removed exactly after specified time - convention over configuration - possible to configure user-defined stores, listeners (observers), entropy callback and fingerprint generators, but all of them have defaults set out-of-the-box - 100% independent from insecure native PHP session extension [![Build Status](https://camo.githubusercontent.com/9f73fb4f42bd9551d3e6ed7d6d078438fb10f279b6ac01194b53de666bedfb7f/68747470733a2f2f7472617669732d63692e6f72672f736f627374656c2f7365737368696e2e706e673f6272616e63683d6d6173746572)](https://travis-ci.org/sobstel/sesshin)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/8e4630bd510f38ab73ac55cc4b7ced619738818f439a5602fc9214060814acef/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f736f627374656c2f7365737368696e2f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/sobstel/sesshin/?branch=master) Usage ----- [](#usage) ### Installation [](#installation) ``` composer require sobstel/sesshin ``` ### Create new session [](#create-new-session) Only when `create()` called, session cookie is created (for native PHP session handler cookie is present all the time whether it's needed or not). ``` $session->create(); ``` ### Open existing session [](#open-existing-session) If session was not created earlier, session is not opened and `false` is returned. ``` $session->open(); ``` If you want to create new session if it does not exist already, just pass `true`as argument. It will call `create()` transparently. ``` $session->open(true); ``` ### Regenerate session id [](#regenerate-session-id) ``` // auto-regenerate after specified time (secs) $session->setIdTtl(300); // auto-regenerate after specified number of requests $session->setIdRequestsLimit(10); // manually $session->regenerateId(); ``` ### Listen to special events [](#listen-to-special-events) ``` use Sesshin\Event\Event; $eventEmitter = $session->geEmitter(); $eventEmitter->addListener('sesshin.no_data_or_expired', function(Event $event) { die('Session expired or session adoption attack!'); }); $eventEmitter->addListener('sesshin.expired', function(Event $event) { die(sprintf('Session %s expired!', $event->getSession()->getId())); }); $eventEmitter->addListener('sesshin.invalid_fingerprint', function(Event $event) { die('Invalid fingerprint, possible attack!'); }); ``` ### User session [](#user-session) ``` use Sesshin\User\Session as UserSession; use Sesshin\Store\FileStore; $userSession = new UserSession(new FileStore('/path/to/dir')); $userSession->create(); $userSession->login(123); if ($userSession->isLogged()) { echo sprintf('User %s is logged', $userSession->getUserId()); // Or if you have some kind of UserRepository class, which can be used to fetch user data $user = UserRepository::find($userSession->getUserId()); echo sprintf('User %s is logged', $user->getUsername()); } ``` ### Store [](#store) Sesshin provides default FileStore. ``` use Sesshin\Session; use Sesshin\Store\FileStore; $session = new Session(new FileStore('/path/to/dir')); ``` Note! Using /tmp as a directory is not secure on shared hosting. Alternatively you can use one of numerous [doctrine/cache](https://github.com/doctrine/cache/tree/master/lib/Doctrine/Common/Cache)providers. ``` use Sesshin\Store\DoctrineCache; use Doctrine\Common\Cache\MemcachedCache; $memcached = new Memcached; // here configure memcached (add servers etc) $session = new Session(new DoctrineCache(new MemcachedCache($memcached))); ``` You can also implement your own store using `Sesshin\Store\StoreInterface`. ### Change entropy algorithm [](#change-entropy-algorithm) Entropy is used to generate session id. ``` $session->getIdHandler()->setEntropyGenerator(new MyFancyEntropyGenerator()); ``` `MyFancyEntropyGenerator` must implement `Sesshin\EntropyGenerator\EntropyGeneratorInterface`. ### Change session ID store [](#change-session-id-store) By default session ID is stored in cookie, but sometimes you may need to force session id, eg. based on some token, query string var, etc. ``` $session->getIdHandler()->setIdStore(new MyFancyIdStore()); ``` `MyFancyIdStore` must implement `Sesshin\Id\Store\StoreInterface`. ### Health Score 35 — LowBetter than 77% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity30 Limited adoption so far Community17 Small or concentrated contributor base Maturity61 Established project with proven stability Bus Factor1 Top contributor holds 78.5% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~402 days Total 4 Last Release 3080d ago PHP version history (2 changes)1.0.0PHP >=5.3.3 v1.1.0PHP >=5.4.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/7457bb91566e5572c2d429636acc1ceada24a28335f662357c10a34c3693427a?d=identicon)[sobstel](/maintainers/sobstel) --- Top Contributors [![sobstel](https://avatars.githubusercontent.com/u/117428?v=4)](https://github.com/sobstel "sobstel (113 commits)")[![rkrx](https://avatars.githubusercontent.com/u/5672982?v=4)](https://github.com/rkrx "rkrx (22 commits)")[![yabafinet](https://avatars.githubusercontent.com/u/2982030?v=4)](https://github.com/yabafinet "yabafinet (9 commits)") --- Tags phpsessionsession ### Embed Badge ![Health badge](/badges/sobstel-sesshin/health.svg) ``` [![Health](https://phpackages.com/badges/sobstel-sesshin/health.svg)](https://phpackages.com/packages/sobstel-sesshin) ``` ### Alternatives [mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k18.0M134](/packages/mews-purifier)[aura/session Provides session management functionality, including lazy session starting, session segments, next-request-only ("flash") values, and CSRF tools. 2051.2M76](/packages/aura-session)[paragonie/anti-csrf Paragon Initiative's Anti-CSRF Security Library 304211.3k5](/packages/paragonie-anti-csrf)[api-skeletons/doctrine-orm-graphql GraphQL Type Driver for Doctrine ORM 125.5k1](/packages/api-skeletons-doctrine-orm-graphql) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)