← Back to glossary

PHP Session

PHP PHP 5.0+ Beginner

debt(d7/e3/b5/t7)

d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). While semgrep and phpcs can flag missing session_regenerate_id or insecure cookie flags, misconfiguration in php.ini and missing hardening typically only surface in security review or pentesting — production silently accepts insecure sessions.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is a handful of ini settings plus a session_regenerate_id(true) call on login — small, parameterised changes, but touches both config and login flow rather than a single line.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Sessions are load-bearing for authentication across the entire web context (applies_to: web); every auth-related feature, logout flow, and security review must account for session semantics, but it doesn't define the system's overall shape.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception is explicit: developers assume sessions are secure by default when in fact PHPSESSID, /tmp storage, and absent Secure/HttpOnly flags make defaults dangerous — contradicts the reasonable expectation that a built-in session API would be hardened.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

PHP sessions session_start() PHP $_SESSION

TL;DR

Server-side storage keyed by a session ID cookie — the correct place to store authorisation state.

Explanation

PHP sessions store data server-side ($_SESSION) and associate it with a session ID transmitted via a cookie. Because the data lives on the server, the client cannot tamper with it — making sessions the correct location for auth state (logged-in user ID, role, CSRF token). session_start() must be called before any output. Use session_regenerate_id(true) after login to prevent session fixation. Configure the session cookie with HttpOnly, Secure, and SameSite=Strict.

Diagram

sequenceDiagram
    participant B as Browser
    participant PHP as PHP
    participant STORE as Session Store
    B->>PHP: First request
    PHP->>STORE: Create session data
    STORE-->>PHP: session_id abc123
    PHP-->>B: Set-Cookie: PHPSESSID=abc123
    B->>PHP: Next request + cookie
    PHP->>STORE: Load session abc123
    STORE-->>PHP: Session data
    PHP-->>B: Response using session data
    Note over PHP,STORE: session_regenerate_id after login
    Note over PHP,STORE: Prevents session fixation

Common Misconception

✗ PHP sessions are secure by default. Default PHP session configuration stores session files in a shared /tmp directory, uses a predictable session name (PHPSESSID), and does not set Secure or HttpOnly cookie flags — all of these need explicit hardening.

Why It Matters

PHP sessions are the backbone of web authentication — misconfigured session handling enables fixation, hijacking, and CSRF attacks that bypass all application-level security.

Common Mistakes

Not calling session_regenerate_id(true) after login — leaves old session ID valid for fixation attacks.
Not setting session.cookie_httponly, session.cookie_secure, and session.cookie_samesite.
Storing sensitive data like plaintext passwords in the session.
Not destroying the session completely on logout — session_destroy() alone does not unset the cookie.

Code Examples

✗ Vulnerable

// Insecure session start — default settings:
session_start(); // No secure flags, no regeneration
$_SESSION['user_id'] = $user->id;

// Secure:
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_samesite', 'Lax');
session_start();
session_regenerate_id(true); // After login

✓ Fixed

// Secure session configuration (php.ini or ini_set before session_start)
ini_set('session.cookie_httponly', 1);  // JS cannot read cookie
ini_set('session.cookie_secure', 1);    // HTTPS only
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.use_strict_mode', 1);  // reject unrecognised session IDs
ini_set('session.gc_maxlifetime', 1800); // 30 min idle timeout

session_start();

// After login — always regenerate to prevent session fixation
session_regenerate_id(true);
$_SESSION['user_id'] = $user->id;
$_SESSION['role']    = $user->role;

// Destroy on logout
$_SESSION = [];
session_destroy();
setcookie(session_name(), '', time() - 3600, '/'); // clear cookie

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Scrapy 20 Perplexity 13 Amazonbot 7 ChatGPT 3 Ahrefs 3 Google 2 Claude 2 Bing 2 SEMrush 2 Meta AI 1 PetalBot 1

Also referenced

Cross-Site Request Forgery (CSRF) 84 Privilege Escalation 75 Insecure Cookie 50

How they use it

crawler 54 crawler_json 2

Related categories

php 13.1k security 7.9k

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

Set session.cookie_secure=1, cookie_httponly=1, cookie_samesite=Lax, use_strict_mode=1 in php.ini; call session_regenerate_id(true) on login

📦 Applies To

PHP 5.0+ web

🔗 Prerequisites

Session Fixation Insecure Cookie Cookie Security Attributes

🔍 Detection Hints

session_start() without secure cookie configuration or missing session_regenerate_id on login

Auto-detectable: ✓ Yes semgrep phpcs

⚠ Related Problems

Session Fixation Account Takeover (ATO) Insecure Cookie

🤖 AI Agent

Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File Tests: Update

CWE-384 CWE-613