Language-specific configuration (e.g. PHP)

Depending on your tech stack, the language of choice that serves backend requests must be configured to handle requests and user sessions securely. This page focuses on PHP as an example.

Most websites will want to set this to Lax. Setting it to Strict will break a lot of website functionality, and is overkill except for websites that absolutely must have maximum security at any cost.

Secure Cookies

Enable this. In PHP it's the cookie_secure parameter, meaning cookies may only be passed over HTTPS connections.

Transient Session IDs

Disable this if it's enabled; normally it's disabled by default, but it should not be used.

Session Garbage Collection and Session ID Regeneration

Modern websites don't log users out that often, unless they're security critical applications like online banking. As a result, you should periodically refresh a user's session ID to mitigate the risk (and damage) of an attacker learning a user's session ID and hijacking their session.

An example of how you might go about this is below: <code>.

Language-specific configuration (e.g. PHP)

Cookie Security

Cookie SameSite

Secure Cookies

Transient Session IDs

Session Garbage Collection and Session ID Regeneration