Session Security

Regenerate the session ID on login to prevent fixation. Use secure, HttpOnly cookies. Set appropriate timeouts.

Example

session_start();
// On successful login:
session_regenerate_id(true); // prevent session fixation
$_SESSION["user_id"] = $user["id"];
$_SESSION["ip"] = $_SERVER["REMOTE_ADDR"];
// php.ini hardening:
// session.cookie_httponly = 1
// session.cookie_secure   = 1
// session.cookie_samesite = Lax
// session.use_strict_mode = 1
// Timeout check
if (isset($_SESSION["last"]) && time() - $_SESSION["last"] > 1800) {
    session_destroy(); redirect("/login");
}
$_SESSION["last"] = time();

PHP

Full Editor

Pro Tip

session_regenerate_id(true) deletes the old session file — always call after login.

Related Resources

PHP Reference

Complete tag & property list

PHP How-To Guides

Step-by-step practical guides

PHP Exercises

Practice what you've learned