If you are ever working with sensitive user data in PHP sessions (i.e. - SSN, credit cards, etc.), you will not want that information stored in plaintext. Unfortunately, the default session handler in PHP does just that.

I ran into this issue on a recent development project for work, which stored SSNs both in a MySQL database as well as in the session. The database was easy to take care of, because the app was written in CakePHP. I simply had to implement the Cryptable behavior on the appropriate models. The session, on the other hand, was a bit more tricky.

Unable to find a suitable CakePHP extension to handle encrypted session variables (and coming too close to the launch date for the app to write my own), I found the Suhosin extension for PHP. All I had to do was install it on my server and I was good to go.

sudo apt-get install php5-suhosin

Not only does Suhosin encrypt the session data out-of-box, it also provides a variety of security enhancements for PHP. This is definitely a must-have on any server that will be dealing with sensitive/secure user data.

http://www.hardened-php.net/suhosin