Back
Syntax
Study
Editor
Mode:
HTML
CSS
JavaScript
PHP
Reset
Run »
HTML / CSS / JS
<?php // php.ini / ini_set best practices ini_set('session.use_strict_mode', 1); // reject unrecognised session IDs ini_set('session.use_only_cookies', 1); // never accept ID in URL ini_set('session.cookie_httponly', 1); // JS cannot read the cookie ini_set('session.cookie_secure', 1); // HTTPS only ini_set('session.cookie_samesite', 'Lax'); // CSRF mitigation session_start(); // Session fixation — regenerate ID on privilege change (e.g., login) function login(int $userId, string $username): void { session_regenerate_id(true); // true = delete old session file $_SESSION['user_id'] = $userId; $_SESSION['username'] = $username; $_SESSION['logged_in'] = true; $_SESSION['last_active'] = time(); $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'] ?? ''; } // Validate session on each request function validateSession(): bool { if (!($_SESSION['logged_in'] ?? false)) return false; // Check IP and user agent haven't changed if ($_SESSION['ip'] !== $_SERVER['REMOTE_ADDR']) { session_destroy(); return false; } // Session timeout (30 minutes idle) if (time() - ($_SESSION['last_active'] ?? 0) > 1800) { session_destroy(); return false; } $_SESSION['last_active'] = time(); return true; }
Result
Open