Session Handling From Scratch

Question

I want to create a session handler from scratch. I don\'t want to use session_set_save_handler. I can\'t find anything anywhere though and I just don\'t know where

Answer 1

You don't need to use PHP's session handling if you use encrypted cookies. Basically, standard sessions store the data on the server (memcache, file, or database), and the ID/key to the data is placed in a cookie given to the user agent.

Encrypted cookies just store the data in a cookie on the user agent and forgo the ID/key altogether. This reduces server load as storage is offloaded to the user.

If the data isn't important enough to encrypt, you can also just HMAC sign the cookie contents to prevent people from changing it even though they can see the raw contents.

You might want to try out my simple PHP Kit library which uses encrypted cookies.

$_SESSION = \Kit\Cookie::get('session');
...do stuff...
\Kit\Cookie::set('session', $_SESSION);

Just make sure you save the cookie before you send any output to the user since all headers need to be sent first.