$_SESSION[] in PHP is secure, but of course if is only as secure as your application makes it. The session variables / parameters are stored at the server level, with the user given a pseudorandom string (“session ID”) for them to identify themselves with. The weakness is if that string is intercepted by an attacker, the attacker can then pretend to be that user.

Security Recommendations / Best practice

Look through “Session Management Basics” in the PHP manual.

Always use HTTPS (to attackers from reading the session ID cookie.

Enable session.use_strict_mode

  • Rejects uninitialized session IDs
  • Ensures any sessions created are actually valid, so you can trust a prefix (eg, if the prefix is $userId-)

Enable sessions.use_only_cookies and disable session.use_trans_sid

  • Avoids user sharing session ID accidentally by sharing a URL with the session ID in it
  • Prevents the session ID from appearing in a Referer header
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.


Your email address will not be published.