👋 Enjoying the content? Subscribe to our Medium publication for more articles like this. 👇
Keep Learning

How To Secure PHP Sessions?

BY Atakan Demircioğlu
Table of Contents

My notes about how to secure PHP Sessions, what is session hijacking, and so on.


Session Hijacking

Session Fixation

Defend Session attacks in PHP

Setting HTTP Only Cookies In PHP

ini_set( 'session.cookie_httponly', 1 );

OR (PHP 8 +)

setcookie( $name, $value, httponly:true )


session_start(['cookie_httponly' => true]);

Setting Secure Cookies In PHP

session.cookie_secure = True

OR set it true with the set session_set_cookie_params function

      'lifetime' => 'YOUR_LIFE_TIME_VALUE',
      'path' => 'YOUR_PATH',
      'domain' => 'YOUR_DOMAIN',
      'secure' => true, // set it true for secure
      'httponly' => true, // set it true for secure
      'samesite' => 'YOUR_SAME_SITE_VALUE'

Same Site Cookie In PHP

Edit with session_set_cookie_params function. (Lax, Strict, etc.)

For a better understanding of the types of the same site attributes, please visit this link.

ini_set(‘session.cookie_samesite’, ‘HERE_WRITE_VALUE’);

OR (you can set it with this function setting up the options)