Sessions-related attacks

In this second chapter of the course you will learn how to use PHP Sessions securely.

Many PHP-based web applications use Sessions to keep track of remote users, and chances are you already have used Sessions in some of your projects.

Sessions are very useful when you need to implement an authentication system, an e-commerce website or any other application that needs to "remember" returning users.

Sessions create a link between your PHP application and remote users, and it’s very important that you keep this link secure and safe from attacks. This is especially true when Sessions are used for authentication purposes.

But don't be scared: keeping Sessions secure is not too hard if you know what to do.

Sessions-related attacks

There are two common Sessions-related attacks you must defend against:

  • Session Fixation, and
  • Session Hijacking.

As you will learn in the next lessons of this chapter, you can prevent or mitigate these attacks by properly configuring your Sessions environment, by avoiding data leaks and following PHP Sessions security practices.


You will be asked to check and edit your PHP configuration file (the php.ini file).

If you are working on a remote server and you don't have access to the PHP configuration, I suggest you install a local development environment and work locally. See the introduction chapter for more details.


If you are not familiar with Sessions, this is a great time to learn about them!

You can follow my tutorial here:

Or, if you prefer, you can look at the official PHP documentation here.

If you are going with my tutorial, feel free to skip the security section because this course is much more detailed.

Ready? Let's move on to the next lesson to learn about fixation attacks and how to prevent them.