Zend PHP 5 – Security – Session Security

Session management is core of web security. Users should ensure that several practices are in place to protect against session identity theft.

There are a couple of ways that session security can be compromised:

  • Session Hijacking- When the session ID is stolen and it is the sole authentication of the website.
  • Session Fixation – When the user gets a fixed session ID (usually through a specifically crafted URL.

Luckily there are some counter measure to prevent these things from happening by adding configuration within the php.ini file.

We can add either of the following:

session.use_cookies = 1
session.use_only_cookies = 1

session.use_cookies specifies whether the module will use cookies to store the session id on the client side.

session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs.

Cookies are the preferred way to manage session IDs.

A session can be regenerated using the session_regenerate_id() function:


This will replace the current session id with a new one, and keep the current session information.

You can choose to delete the old session by adding the boolean parameter and setting it to true:


Access to session cookie by scripting languages such as JavaScript can be prevented by using the session.cookie_httponly configuration.

session.cookie_httponly = On

Marks the cookie as accessible only through the HTTP protocol. This means that the cookie won’t be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks

This can also be done the session_set_cookie_params() function passing in true as the fifth parameter.

session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);

Some basic session security measures should also be followed:

  • Regenerate the session ID upon the user logging in before authentication
  • Use SSL encryption
  • Use the session_regenerate_id() function for critical operations
  • Use a short session timeout
  • Provide a user logout
  • Destroy an old and create a new session using session_regenerate_id(true)

Note: This article is based on PHP version 5.5.