Secure User Sessions

calendar_today Feb 25, 2025 timer 7 Min Read person By PHPOG

Sessions allow you to remember users between requests, but if not hardened they become a juicy target. PHP’s default session handling is better than it used to be, yet still requires care.

1. Secure session cookies

When starting a session, configure cookie parameters: set secure, httponly and samesite=strict. These flags prevent JavaScript from reading IDs and stop cookies being sent over insecure connections.

session_set_cookie_params([
    'lifetime' => 0,
    'path' => '/',
    'domain' => '',
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Strict'
]);
session_start();
session_regenerate_id(true);

2. Prevent fixation

Always regenerate the session ID after login using session_regenerate_id(). Tie the session to the user’s IP and user agent to detect anomalies.

3. Cleanup

Destroy sessions on logout and purge old session files server-side. Use a custom session handler to store sessions in a database if you need stronger control.

SECURITY

Stop Trusting `$_POST`

A deep dive into data sanitization and Prepared Statements.

arrow_forward

SERVER OPS

LAMP Stack From Scratch

Manual setup guide for Ubuntu, Apache, MySQL, and PHP 8.2.

arrow_forward

DATABASE

MySQL Indexing Strategy

Your queries aren’t slow; your indexes are wrong. Learn B‑Trees.

arrow_forward

The Php OG: Hand-Coded PHP8 Solutions The Php OG Hand-Coded PHP8 Solutions

Hand‑coded Communities & CMS Solutions built on PHP Core Integrity.