Yasuo Ohgaki


PHP RFC: User defined session serializer


Currently, only C module can add additional session data serializer. With user defined session data serializer, users can

  • Encrypt/decrypt session data transparently.
  • Use any serialization format such as JSON/XML/etc.
  • Add invisible data to session data for session data management purpose.
  • Validate session data via hash_hmac().


Add session serializer registration function.

bool session_set_serializer(callable $serialize_func, callable $unserialize_func)

$serialize_func and $unserialize_func are:

$serialize_func = function(array $session_data_array) {
  // User can add/encrypt data in this function
  // Returning anything other than string raises E_RECOVERABLE_ERROR
  return serialize($session_data_array); // Must return string
$unserialize_func = function(string $session_data_string) {
  // User can remove/decrypt/validate data in this function
  // Returning anything other than array raises E_RECOVERABLE_ERROR
  return unserialize($session_data_string); // Must return array

Add session serializer interface.

interface SessionSerializerInterface {
  function encode(array $session_data_array):string;
  function decode(string $serialized_session_data_string):array;

session_set_serializer() accepts object implements SessionSerializerInterface.

bool session_set_serializer(SessionSerializerInterface $handler)

These functions/methods are called before reading/writing session data to session data database.

Please refer to the pull request phpt files for usage details.

Backward Incompatible Changes


Proposed PHP Version(s)

Next PHP. Currently 7.2.

Future Scope

Current session modules OO user save handler uses internal save handler as its base object. This design caused many problems.

User defined session serializer can get rid of this design issue. There will be new and clean OO session save handler interface proposal. This RFC keeps extendability for new OO session save handler API.

Patches and Tests


After the project is implemented, this section should contain

  1. the version(s) it was merged to
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)


Links to external references, discussions or RFCs


An option needs 2/3 votes to win

Add user defined session serializer (47.4% approved)
User Vote
bwoebi No
danack No
guilhermeblanco Yes
hywan No
kalle Yes
kguest Yes
leigh No
levim No
lstrojny Yes
mariano Yes
mfischer Yes
nikic No
ocramius No
peehaa No
pierrick No
remi Yes
ryat No
yohgaki Yes
yunosh Yes