diff --git a/roles/phpmyadmin/defaults/main.yml b/roles/phpmyadmin/defaults/main.yml
index cecc4ac..84f2c8a 100644
--- a/roles/phpmyadmin/defaults/main.yml
+++ b/roles/phpmyadmin/defaults/main.yml
@@ -72,3 +72,7 @@ pma_sso_groups: []
 #   - group: DB_Admins
 #     sql_login: admin
 #     sql_password: s3cr3t.
+
+# Instead of storing SQL credentials in clear text in sso.php, you can define an encryption key here
+# This encryption key should be passed to phpMyAdmin in the X-Encryption-Token HTTP header so phpMyAdmin can decrypt the passwords
+# pma_sso_encryption_token: myrandompassword
diff --git a/roles/phpmyadmin/tasks/facts.yml b/roles/phpmyadmin/tasks/facts.yml
index 1de8410..62226b5 100644
--- a/roles/phpmyadmin/tasks/facts.yml
+++ b/roles/phpmyadmin/tasks/facts.yml
@@ -35,3 +35,20 @@
         - pass_file: "{{pma_root_dir }}/meta/ansible_dbpass"
     - set_fact: pma_db_pass={{ rand_pass }}
   tags: pma
+
+- name: Encrypt SQL user passwords
+  command: php{{ pma_php_version }} -r "echo openssl_encrypt('{{ item.sql_password }}','aes-128-cbc','{{ pma_sso_encryption_token }}',0,substr(hash('sha256','{{ item.user }}'),0,16));"
+  register: pma_sso_users_encrypted
+  changed_when: False
+  loop: "{{ pma_sso_users | default([]) }}"
+  when: pma_sso_encryption_token is defined
+  tags: pma
+
+- name: Encrypt SQL group passwords
+  command: php{{ pma_php_version }} -r "echo openssl_encrypt('{{ item.sql_password }}','aes-128-cbc','{{ pma_sso_encryption_token }}',0,substr(hash('sha256','{{ item.group }}'),0,16));"
+  register: pma_sso_groups_encrypted
+  changed_when: False
+  loop: "{{ pma_sso_groups | default([]) }}"
+  when: pma_sso_encryption_token is defined
+  tags: pma
+
diff --git a/roles/phpmyadmin/tasks/install.yml b/roles/phpmyadmin/tasks/install.yml
index 9ff38a8..42302ad 100644
--- a/roles/phpmyadmin/tasks/install.yml
+++ b/roles/phpmyadmin/tasks/install.yml
@@ -52,3 +52,12 @@
   when: db_created.changed
   tags: pma
 
+- name: Setup a cron job to cleanup expired sessions
+  cron:
+    name: phpmyadmin_{{ pma_id }}_session_cleanup
+    cron_file: phpmyadmin
+    user: "{{ pma_php_user }}"
+    job: "find {{ pma_root_dir }}/sessions -type f -mmin +480 -exec rm -f \"{}\" \\;"
+    special_time: hourly
+  tags: pma
+
diff --git a/roles/phpmyadmin/templates/sso.php.j2 b/roles/phpmyadmin/templates/sso.php.j2
index 69fe722..059743e 100644
--- a/roles/phpmyadmin/templates/sso.php.j2
+++ b/roles/phpmyadmin/templates/sso.php.j2
@@ -1,20 +1,13 @@
 <?php
 
-$login['admin'] = 'sqladmin';
-$password['admin'] = '{{ mysql_admin_pass | regex_replace('\'', '\\\'')}}';
 {% for user in pma_sso_users | default([]) %}
 $login['{{ user.user }}'] = '{{ user.sql_login }}';
-$password['{{ user.user }}'] = '{{ user.sql_password | regex_replace('\'', '\\\'') }}';
+$password['{{ user.user }}'] = '{{ (pma_sso_encryption_token is defined) | ternary(pma_sso_users_encrypted.results | selectattr('item.user', 'equalto', user.user) | map(attribute='stdout') | first, user.sql_password | regex_replace('\'', '\\\'')) }}';
 {% endfor %}
 
 {% for group in pma_sso_groups | default([]) %}
 $g_login['{{ group.group }}'] = '{{ group.sql_login }}';
-$g_password['{{ group.group }}'] = '{{ group.sql_password | regex_replace('\'', '\\\'') }}';
-{% endfor %}
-
-{% for client in wh_clients | default([]) %}
-$g_login['Client_{{ client.name }}'] = '{{ client.name | regex_replace('\'', '\\\'') }}';
-$g_password['Client_{{ client.name }}'] = '{{ client.db_pass | default((wh_pass_seed | password_hash('sha256', 65534 | random(seed=client.name) | string))[9:27]) | regex_replace('\'', '\\\'') }}';
+$g_password['{{ group.group }}'] = '{{ (pma_sso_encryption_token is defined) | ternary(pma_sso_groups_encrypted.results | selectattr('item.group', 'equalto', group.group) | map(attribute='stdout') | first, group.sql_password | regex_replace('\'', '\\\'')) }}';
 {% endfor %}
 
 {% for field in pma_sso_user_fields %}
@@ -33,7 +26,7 @@ if(isSet($ssologin) && isSet($login[$ssologin]) && isSet($password[$ssologin]))
     session_name('PmaSignonSession');
     session_start();
     $_SESSION['PMA_single_signon_user'] = $login[$ssologin];
-    $_SESSION['PMA_single_signon_password'] = $password[$ssologin];
+    $_SESSION['PMA_single_signon_password'] = {{ (pma_sso_encryption_token is defined) | ternary("openssl_decrypt($password[$ssologin],'aes-128-cbc',$_SERVER['HTTP_X_ENCRYPTION_TOKEN'],0,substr(hash('sha256',$ssologin),0,16))",'$password[$ssologin]') }};
     session_write_close();
     header('Location: /index.php');
     exit(0);
@@ -44,7 +37,7 @@ if(isSet($ssologin) && isSet($login[$ssologin]) && isSet($password[$ssologin]))
             session_name('PmaSignonSession');
             session_start();
             $_SESSION['PMA_single_signon_user'] = $g_login[$group];
-            $_SESSION['PMA_single_signon_password'] = $g_password[$group];
+            $_SESSION['PMA_single_signon_password'] = {{ (pma_sso_encryption_token is defined) | ternary("openssl_decrypt($g_password[$group],'aes-128-cbc',$_SERVER['HTTP_X_ENCRYPTION_TOKEN'],0,substr(hash('sha256',$group),0,16))",'$g_password[$group]') }};
             session_write_close();
             header('Location: /index.php');
             exit(0);