PHP RFC: User defined session serializer


Currently, only C module can add additional session data serializer. With user defined session data serializer, users can

  • Encrypt/decrypt session data transparently.
  • Use any serialization format such as JSON/XML/etc.
  • Add invisible data to session data for session data management purpose.
  • Validate session data via hash_hmac().


Add session serializer registration function.

bool session_set_serializer(callable $serialize_func, callable $unserialize_func)

$serialize_func and $unserialize_func are:

$serialize_func = function(array $session_data_array) {
  // User can add/encrypt data in this function
  // Returning anything other than string raises E_RECOVERABLE_ERROR
  return serialize($session_data_array); // Must return string
$unserialize_func = function(string $session_data_string) {
  // User can remove/decrypt/validate data in this function
  // Returning anything other than array raises E_RECOVERABLE_ERROR
  return unserialize($session_data_string); // Must return array

Add session serializer interface.

interface SessionSerializerInterface {
  function encode(array $session_data_array):string;
  function decode(string $serialized_session_data_string):array;

session_set_serializer() accepts object implements SessionSerializerInterface.

bool session_set_serializer(SessionSerializerInterface $handler)

These functions/methods are called before reading/writing session data to session data database.

Please refer to the pull request phpt files for usage details.

Backward Incompatible Changes


Proposed PHP Version(s)

Next PHP. Currently 7.2.

Future Scope

Current session modules OO user save handler uses internal save handler as its base object. This design caused many problems.

User defined session serializer can get rid of this design issue. There will be new and clean OO session save handler interface proposal. This RFC keeps extendability for new OO session save handler API.

Proposed Voting Choices

2/3 majority is required to pass.

Vote starts: 2016-12-05 Vote ends: 2016-12-19 UTC 23:59:59

Add user defined session serializer
Real name Yes No
bwoebi (bwoebi)  
danack (danack)  
guilhermeblanco (guilhermeblanco)  
hywan (hywan)  
kalle (kalle)  
kguest (kguest)  
leigh (leigh)  
levim (levim)  
lstrojny (lstrojny)  
mariano (mariano)  
mfischer (mfischer)  
nikic (nikic)  
ocramius (ocramius)  
peehaa (peehaa)  
pierrick (pierrick)  
remi (remi)  
ryat (ryat)  
yohgaki (yohgaki)  
yunosh (yunosh)  
Count: 9 10

Patches and Tests


After the project is implemented, this section should contain

  1. the version(s) it was merged to
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature
  4. a link to the language specification section (if any)


Links to external references, discussions or RFCs

rfc/user_defined_session_serializer.txt · Last modified: 2017/09/22 13:28 by