Create a Secure Session Management System in PHP and MySQL

This guide will show you how you can store your sessions securely in a mySQL database. We will also encrypt all session data that goes into the database, which means if anyone manages to hack into the database all session data is encrypted by 256-bit AES encryption.

Steps

Configure mySQL Database

  1. Create a MySQL database.
    In this guide we will create a database called "secure_sessions".
    See how to Create-a-Database-in-Phpmyadmin.
    Or you can use the SQL code below will create one for you.

    Create Database Code:
    Note: Some hosting services don't allow you to create a database through phpMyAdmin, Learn how to do it in cPanel.
  2. Create a user with only SELECT, INSERT and DELETE privileges.
    This means that if there was ever a breach of security in our script the hacker couldn't drop tables from our database. If you're really paranoid, create a different user for each function.

    • User: "sec_user"
    • Password: "eKcGZr59zAa2BEWU"


    Create User Code:
    Note: It is a good idea to change the password in the code above when running on your own server. (Make sure you change your PHP code also.) Remember it doesn't need to be a password that you can remember so make is as complicated as possible. Here's a random password generator.
  3. Create a MySQL table named "sessions".
    The code below creates a table with 4 fields (id, set_time, data, session_key).

    Create the "sessions" table:
    We use the CHAR datatype for fields we know the length of, as the fields "id" and "session_key" will always be 128 characters long. Using CHAR here saves on processing power.

Create session.class.php file

  1. Create Class.
    To start a new class you will need to enter the code below:

    New Class:
  2. Create __construct function.
    This function will be called every time we create a new instance of an object using the 'session' class. You can read up on the PHP __construct function here.
    This function sets our custom session handler so it is available for use as soon as the class is instantiated (i.e., made/built/constructed).

    __construct function:
  3. Create start_session function.
    This function will be called every time you want to start a new session, use it instead of session_start();. See the comments in the code to see what each line does.

    start_session function:
  4. Create open function.
    This function will be called by the PHP sessions when we start a new session, we use it to start a new database connection.

    open function:
  5. Create close function.
    This function will be called when the sessions want to be closed.

    close function:
  6. Create read function.
    This function will be called by PHP when we try to access a session for example when we use echo $_SESSION['something'];. Because there might be many calls to this function on a single page, we take advantage of prepared statements, not only for security but for performance also. We only prepare the statement once then we can execute it many times.
    We also decrypt the session data that is encrypted in the database. We are using 256-bit AES encryption in our sessions.

    read function:
  7. Create write function.
    This function is used when we assign a value to a session, for example $_SESSION['something'] = 'something else';. The function encrypts all the data which gets inserted into the database.

    write function:
  8. Create destroy function.
    This function deletes the session from the database, it is used by php when we call functions like session__destroy();.

    destroy function:
  9. Create gc (garbage collector) function.
    This function is the garbage collector function it is called to delete old sessions. The frequency in which this function is called is determined by two configuration directives, session.gc_probability and session.gc_divisor.

    gc() function:
  10. Create getKey function.
    This function is used to get the unique key for encryption from the sessions table. If there is no session it just returns a new random key for encryption.

    getkey() Function:
  11. Create encrypt and decrypt functions.
    These functions encrypt the data of the sessions, they use an encryption key from the database which is different for each session. We don't directly use that key in the encryption but we use it to make the key hash even more random.

    encrypt() and decrypt() functions:
  12. End Class.
    Here we just end the classes curly brackets:

    End Class:

Creating Pages With Sessions

  1. Using sessions with the custom session manager.
    Below is how you would start a new session; you would need to include this on every page you want to access the sessions, use it instead of session_start();

    Starting a session:

Related Articles