{
    "slug": "session",
    "term": "PHP Session",
    "category": "php",
    "difficulty": "beginner",
    "short": "Server-side storage keyed by a session ID cookie — the correct place to store authorisation state.",
    "long": "PHP sessions store data server-side ($_SESSION) and associate it with a session ID transmitted via a cookie. Because the data lives on the server, the client cannot tamper with it — making sessions the correct location for auth state (logged-in user ID, role, CSRF token). session_start() must be called before any output. Use session_regenerate_id(true) after login to prevent session fixation. Configure the session cookie with HttpOnly, Secure, and SameSite=Strict.",
    "aliases": [
        "PHP sessions",
        "session_start()",
        "PHP $_SESSION"
    ],
    "tags": [
        "php",
        "authentication",
        "session",
        "security"
    ],
    "misconception": "PHP sessions are secure by default. Default PHP session configuration stores session files in a shared /tmp directory, uses a predictable session name (PHPSESSID), and does not set Secure or HttpOnly cookie flags — all of these need explicit hardening.",
    "why_it_matters": "PHP sessions are the backbone of web authentication — misconfigured session handling enables fixation, hijacking, and CSRF attacks that bypass all application-level security.",
    "common_mistakes": [
        "Not calling session_regenerate_id(true) after login — leaves old session ID valid for fixation attacks.",
        "Not setting session.cookie_httponly, session.cookie_secure, and session.cookie_samesite.",
        "Storing sensitive data like plaintext passwords in the session.",
        "Not destroying the session completely on logout — session_destroy() alone does not unset the cookie."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "csrf",
        "insecure_cookie",
        "privilege_escalation"
    ],
    "prerequisites": [
        "session_fixation",
        "insecure_cookie",
        "cookie_security_advanced"
    ],
    "refs": [
        "https://www.php.net/manual/en/book.session.php",
        "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"
    ],
    "bad_code": "// Insecure session start — default settings:\nsession_start(); // No secure flags, no regeneration\n$_SESSION['user_id'] = $user->id;\n\n// Secure:\nini_set('session.cookie_httponly', 1);\nini_set('session.cookie_secure', 1);\nini_set('session.cookie_samesite', 'Lax');\nsession_start();\nsession_regenerate_id(true); // After login",
    "good_code": "// Secure session configuration (php.ini or ini_set before session_start)\nini_set('session.cookie_httponly', 1);  // JS cannot read cookie\nini_set('session.cookie_secure', 1);    // HTTPS only\nini_set('session.cookie_samesite', 'Strict');\nini_set('session.use_strict_mode', 1);  // reject unrecognised session IDs\nini_set('session.gc_maxlifetime', 1800); // 30 min idle timeout\n\nsession_start();\n\n// After login — always regenerate to prevent session fixation\nsession_regenerate_id(true);\n$_SESSION['user_id'] = $user->id;\n$_SESSION['role']    = $user->role;\n\n// Destroy on logout\n$_SESSION = [];\nsession_destroy();\nsetcookie(session_name(), '', time() - 3600, '/'); // clear cookie",
    "quick_fix": "Set session.cookie_secure=1, cookie_httponly=1, cookie_samesite=Lax, use_strict_mode=1 in php.ini; call session_regenerate_id(true) on login",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/session",
        "html_url": "https://codeclaritylab.com/glossary/session",
        "json_url": "https://codeclaritylab.com/glossary/session.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[PHP Session](https://codeclaritylab.com/glossary/session) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/session"
            }
        }
    }
}