PHP Session
Also Known As
PHP sessions
session_start()
PHP $_SESSION
TL;DR
Server-side storage keyed by a session ID cookie — the correct place to store authorisation state.
Explanation
PHP sessions store data server-side ($_SESSION) and associate it with a session ID transmitted via a cookie. Because the data lives on the server, the client cannot tamper with it — making sessions the correct location for auth state (logged-in user ID, role, CSRF token). session_start() must be called before any output. Use session_regenerate_id(true) after login to prevent session fixation. Configure the session cookie with HttpOnly, Secure, and SameSite=Strict.
Diagram
sequenceDiagram
participant B as Browser
participant PHP as PHP
participant STORE as Session Store
B->>PHP: First request
PHP->>STORE: Create session data
STORE-->>PHP: session_id abc123
PHP-->>B: Set-Cookie: PHPSESSID=abc123
B->>PHP: Next request + cookie
PHP->>STORE: Load session abc123
STORE-->>PHP: Session data
PHP-->>B: Response using session data
Note over PHP,STORE: session_regenerate_id after login
Note over PHP,STORE: Prevents session fixation
Common Misconception
✗ PHP sessions are secure by default. Default PHP session configuration stores session files in a shared /tmp directory, uses a predictable session name (PHPSESSID), and does not set Secure or HttpOnly cookie flags — all of these need explicit hardening.
Why It Matters
PHP sessions are the backbone of web authentication — misconfigured session handling enables fixation, hijacking, and CSRF attacks that bypass all application-level security.
Common Mistakes
- Not calling session_regenerate_id(true) after login — leaves old session ID valid for fixation attacks.
- Not setting session.cookie_httponly, session.cookie_secure, and session.cookie_samesite.
- Storing sensitive data like plaintext passwords in the session.
- Not destroying the session completely on logout — session_destroy() alone does not unset the cookie.
Code Examples
✗ Vulnerable
// Insecure session start — default settings:
session_start(); // No secure flags, no regeneration
$_SESSION['user_id'] = $user->id;
// Secure:
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_samesite', 'Lax');
session_start();
session_regenerate_id(true); // After login
✓ Fixed
// Secure session configuration (php.ini or ini_set before session_start)
ini_set('session.cookie_httponly', 1); // JS cannot read cookie
ini_set('session.cookie_secure', 1); // HTTPS only
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.use_strict_mode', 1); // reject unrecognised session IDs
ini_set('session.gc_maxlifetime', 1800); // 30 min idle timeout
session_start();
// After login — always regenerate to prevent session fixation
session_regenerate_id(true);
$_SESSION['user_id'] = $user->id;
$_SESSION['role'] = $user->role;
// Destroy on logout
$_SESSION = [];
session_destroy();
setcookie(session_name(), '', time() - 3600, '/'); // clear cookieReferences
Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
27
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Perplexity 11
Amazonbot 6
ChatGPT 1
Ahrefs 1
Google 1
How they use it
crawler 20
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: Low
⚡ Quick Fix
Set session.cookie_secure=1, cookie_httponly=1, cookie_samesite=Lax, use_strict_mode=1 in php.ini; call session_regenerate_id(true) on login
📦 Applies To
PHP 5.0+
web
🔗 Prerequisites
🔍 Detection Hints
session_start() without secure cookie configuration or missing session_regenerate_id on login
Auto-detectable:
✓ Yes
semgrep
phpcs
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File
Tests: Update
CWE-384
CWE-613