👋 Enjoying the content? Subscribe to our Medium publication for more articles like this. 👇
Keep Learning

How To Secure PHP Sessions?

BY Atakan Demircioğlu
Table of Contents

My notes about how to secure PHP Sessions, what is session hijacking, and so on.

php-sessions

Session Hijacking

Session Fixation

Defend Session attacks in PHP

Setting HTTP Only Cookies In PHP

ini_set( 'session.cookie_httponly', 1 );

OR (PHP 8 +)

setcookie( $name, $value, httponly:true )

OR

session_start(['cookie_httponly' => true]);

Setting Secure Cookies In PHP

session.cookie_secure = True

OR set it true with the set session_set_cookie_params function

  session_set_cookie_params([
      'lifetime' => 'YOUR_LIFE_TIME_VALUE',
      'path' => 'YOUR_PATH',
      'domain' => 'YOUR_DOMAIN',
      'secure' => true, // set it true for secure
      'httponly' => true, // set it true for secure
      'samesite' => 'YOUR_SAME_SITE_VALUE'
  ]);

Same Site Cookie In PHP

Edit with session_set_cookie_params function. (Lax, Strict, etc.)

For a better understanding of the types of the same site attributes, please visit this link.

ini_set(‘session.cookie_samesite’, ‘HERE_WRITE_VALUE’);

OR (you can set it with this function setting up the options)

References:

php