Quick Tips for Secure Session Management

Most of modern websites are using sessions to control the experience for individual users, and to maintain state between requests (since HTTP is a stateless protocol after all). Sessions are fantastic and incredibly useful, but if managed incorrectly they can expose your website to security vulnerabilities and potentially allow a malicious attacker to gain unauthorized access to user accounts.

Actually $_SESSION is a special array used to store information across the page requests a user makes during his visit to your website or web application. We can say that Session is just like a working application. You open it, make some changes, and then you close it.

Generally there might be many users accessing the site at the same time each with their own session. PHP managed unique Session id for each user’s session which available only to himself. Session information is stored on the server rather than the user’s computer. This makes sessions more secure than traditional cookies for passing information between page requests.

In this post I’ll give you the brief description how to manage Session properly in your application and also some quick tips on managing sessions and avoiding some common security vulnerabilities.

How to Manage Session in Your Application

We need to start Session session_start() before storing information in a Session. The Session start is always done at the start of PHP code, and must be done before any text, HTML, or JavaScript is sent to the browser

// start Session
// store session data
$_SESSION["username"] = "Webuser";

The session_start() starts the session between the user and the server, and allows values stored in $_SESSION to be accessible in other scripts.

In your application pages where you need stored session values. Again you will call session_start() to retrieve values from $_SESSION.

// This will continue the session
// retrieve session data
echo "Username = " . $_SESSION["username"];

Really this is a very basic example of storing and retrieving data in a session. Here we have stored “Webuser” into $_SESSION array key “username” and also retrieved back from $_SESSION using key. The $_SESSION allows you to store and retrieve information across the page requests of a user’s active browsing session.

After session start and storing values into, it’s become important end session carefully. As session is only a temporary way to store data, it is very important to clean up after yourself to ensure maximum security when dealing with potentially sensitive information and also avoid a huge amount of session data stored on your server.

You can use unset() function to delete a single session value:

// delete the username value

If you want to unset all of the session values, you can use the session_unset() function:

// delete all session values

Above both examples only delete data stored in the session, not the session itself. You can still store other values to $_SESSION after calling them if you so choose. If you wish to completely stop using the session, for example a user logs out, you use the session_destroy() function.

// terminate the entire session

It’s highly recommended that when you are sure that you no longer need the session, you can destroy it using session_destroy(), rather than just unsetting all of its values with session_unset(). If you just unset all the value, the session itself is still active and malicious code could give those sessions harmful values.

You can also make your session more secure against Session Hijacking threat by update the current session id with a newly generated one. The session_regenerate_id() function which will replace the current session id with a new one, and keep the current session information. This should be regenerated when any important authentication action is performed, such as logging in, password change or updating user profile data.


if ($_POST["action"] == "update_profile" || $_POST["action"] == "change_password") {

In this post you’ve learned what a session is, and how to create, use, and destroy them in PHP. You also learn few tips to make session secure in your application. For more information on sessions, please check out PHP Manual – Session Handling


A web developer who has a love for creativity and enjoys experimenting with various techniques in both web design and development. If you would like to be kept up to date with our posts, you can follow us on Twitter, or even by subscribing to our RSS Feed.

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera