If it’s encrypt’ed how do you use it? Can’t use the token if it’s encrypted?
Under normal operation a $_SESSION should only be returned to the user that own’s it.
Since a PHP session only stores a Session ID on the users computer that matches to the session data stored wherever on the server.
If your concrned is someone hacking the information they’ll just take your DB and grab the tokens from there. The Encryptiong doesn’t help when it needs to be reveresable to read the true value.