Language-specific configuration (e.g. PHP)

Depending on your tech stack, the language of choice that serves backend requests must be configured to handle requests and user sessions securely. This page focuses on PHP as an example.

Cookie Security

Cookie SameSite

SetMost it,websites fool.will want to set this to Lax. Setting it to Strict will break a lot of website functionality, and is overkill except for websites that absolutely must have maximum security at any cost.

Secure Cookies

Yep.Enable this. In PHP it's the cookie_secure parameter, meaning cookies may only be passed over HTTPS connections.

Transient Session IDs

Nope.Disable this if it's enabled; normally it's disabled by default, but it should not be used.

Session Garbage Collection and Session ID Regeneration

GottaModern dowebsites itdon't yolog self.users out that often, unless they're security critical applications like online banking. As a result, you should periodically refresh a user's session ID to mitigate the risk (and damage) of an attacker learning a user's session ID and hijacking their session.

An example of how you might go about this is below: <code>.