Tips for Secure Session Management

Feb 13, 2014, by admin

In this post I’ll give you the brief description how to manage Session properly in your application and also some quick tips on managing sessions and avoiding some common security vulnerabilities.

How to Manage Session in Your Application

We need to start Session session_start() before storing information in a Session. The Session start is always done at the start of PHP code, and must be done before any text, HTML, or JavaScript is sent to the browser

<?php
// start Session
session_start();
// store session data
$_SESSION["username"] = "Webuser";

The session_start() starts the session between the user and the server, and allows values stored in $_SESSION to be accessible in other scripts.

In your application pages where you need stored session values. Again you will call session_start() to retrieve values from $_SESSION.

<?php
// This will continue the session
session_start();
// retrieve session data
echo "Username = " . $_SESSION["username"];

Really this is a very basic example of storing and retrieving data in a session. Here we have stored “Webuser” into $_SESSION array key “username” and also retrieved back from $_SESSION using key. The $_SESSION allows you to store and retrieve information across the page requests of a user’s active browsing session.

After session start and storing values into, it’s become important end session carefully. As session is only a temporary way to store data, it is very important to clean up after yourself to ensure maximum security when dealing with potentially sensitive information and also avoid a huge amount of session data stored on your server.

You can use unset() function to delete a single session value:

<?php
session_start();
// delete the username value
unset($_SESSION["username"]);

If you want to unset all of the session values, you can use the session_unset() function:

<?php
session_start();
// delete all session values
session_unset();

Above both examples only delete data stored in the session, not the session itself. You can still store other values to $_SESSION after calling them if you so choose. If you wish to completely stop using the session, for example a user logs out, you use the session_destroy() function.

<?php
session_start();
// terminate the entire session
session_destroy();

It’s highly recommended that when you are sure that you no longer need the session, you can destroy it using session_destroy(), rather than just unsetting all of its values with session_unset(). If you just unset all the value, the session itself is still active and malicious code could give those sessions harmful values.

You can also make your session more secure against Session Hijacking threat by update the current session id with a newly generated one. The session_regenerate_id() function which will replace the current session id with a new one, and keep the current session information. This should be regenerated when any important authentication action is performed, such as logging in, password change or updating user profile data.

In this post you’ve learned what a session is, and how to create, use, and destroy them in PHP. You also learn few tips to make session secure in your application. For more information on sessions, please check out PHP Manual – Session Handling