Daksh B Daksh B - 5 years ago 119
PHP Question

Setting secure session cookies in php

Syntax to set session cookies

session_set_cookie_params($lifetime, $path, $domain, $secure, true);

Q1. Is setting session cookie like below secure or is there more to be done?

session_set_cookie_params('3600', 'www.example.com', isset($_SERVER["HTTPS"]), true);

Q2. What should be the ideal lifetime for setting a session (from security view point) cookie?

Q3. If ever I decide to shift my web admin folder to sub domain then will the above code require change?.

Answer Source

A1: Your above code looks ideal, as long as it follows the PHP documentation page, who are we to say otherwise;

A2: This all just depends on exactly what this is being used for. In banking, some like to kill the session within minutes of inactivity. In gaming or social networking, these settings tend to be more relaxed and lenient as to give the user more leeway;

A3: Yes, you would have to change the cookie to reflect the new subdomain admin change. If you wanted to set a global cookie (that works on all subdomains):

session_set_cookie_params('3600', 'example.com', isset($_SERVER["HTTPS"]), true);

Hope this helps!

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download