The way it should be.
Encript your user's session data in such a way that not even you could read it.
Compatible with all frameworks. Or no framework at all. You choose it.
Do you store you user's session on the file system? MySQL? Redis? Punched card? We've got it.