Most PHP applications will store some temporary data in sessions. This can include:
- Authentication
- Cross site request forgery tokens
- Flash messages
Whilst PHP offers built-in sessions, these are not necessarily secure by default.
As PHP sessions use cookies by default now, this page should be read in conjunction with Cookies.
Secure cookies
The Secure flag should always be set on the session cookie, as your application should always be using HTTPS.
PHP INI configuration:
session.cookie_secure = OnHttpOnly
Session data should not be accessible via JavaScript.
PHP INI configuration:
session.cookie_httponly = On