FreeKB - PHP Secure web pages using sessions
PHP - Secure web pages using sessions

You may want to first read about the difference between a session and a cookie.

Starting a session

Add the following PHP to the pages that you want to use sessions.



When navigating to a page that includes session_start(), a cookie will be created in the web browser with a unique session ID number.


Session files on your web server

By default, on a Linux system, sessions will be stored in the /var/lib/php/sesssion directory on the web server. If this directory does not exist, issue the following commands to create the directory. If using an HTTPD web server, configure the directory to be owned by nobody. If using Nginx, configure the directory to be owned by apache.

mkdir /var/lib/php/session
chown apache:apache /var/lib/php/session


Multiple domains

By default, PHP is configured so that sessions are unique to a domain. For example, if a session is started on, the session would not be valid for, and vice versa. If you have two or more domains, and you want a session created on one domain to be valid for another domain, in your php.ini file, set the session.cookie_domain directive to exclude the domain prefix (www, sso, et cetera).

session.cookie_domain = ""


When using this configuration, the domain of the session cookie will be


Session ID

Here is how you would create the session ID variable.

   $_SESSION['id'] = session_id(); 


After the session ID has been created, the following if/else statements can be used to do something based on whether or not the session ID is set and is not empty.

   if(isset($_SESSION['id']) && !empty($_SESSION['id'])) {
     echo "session id is set and is not empty";
   else {
     echo "session id is not set or is empty";


Sign in page

Let's create a simple Sign In page named signin.php. The Sign In page will gather the username and password and send the request over to check.php.

<form method="post" action="check.php">
  <input type="text" name="MyUsername">
  <input type="text" name="MyPassword">
  <input type="submit">


The check.php page will determine if the username and password are valid. Ensure that session_start() is the very first line of code on your page. This is a very simple, and not very secure example. In a production environment, the check.php page would be much more secure. If the username and password exist in the authentication table, the Session ID is set, and the user is redirected to the private.php page. If the username and password do not exist in the authentication table, the user is redirected to the signin_error.php page.

   $myusername = $_POST['myusername'];
   $mypassword = $_POST['mypassword'];

   $count = $con->query("SELECT count(*) FROM authentication where username='$myusername' and password='$mypassword'")->fetchColumn();

   if ($count==1) 
	   $_SESSION['id'] = session_id();


Session Duration

Each session has a duration.  By default, the duration is 1,440 seconds, which is 24 minutes. 


To increase or decrease the session duration, adjust the session.gc_maxlifetime value in your /etc/php.ini file. For example, to set the session duration to 3600 minutes, which is 1 hour. Restart the web server and then refresh your phpinfo.php web page to ensure session.gc_maxlifetime has changed.

session.gc_maxlifetime = 3600


Prevent Session Hijacking

By default, the session.cookie_httponly option in the php.ini file is set to Off. This is problematic, as it would allow a malicious users to use the following Javascript to obtain your session ID numbers, which is an entry point for the malicious users to potentially obtain sensitive data. For this reason, it makes sense to set session.cookie_httponly to On in your php.ini file.

    {cookies: document.cookie}


Destroying Sessions

This code removes the session cookie from the users computer.

	$params = session_get_cookie_params();
	setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));


If the user does not sign out, the cookie will be removed from their computer when they close every browser tab.


Removing the cookie from the users computer will not remove the file with the session ID from the web server. The following cron job will delete file in the /var/lib/php/session directory that are greater than 1 day old.

00 01 * * * find /var/lib/php/session/* -mtime 1 -exec rm {} \;


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 96821 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |