I've looked everywhere and haven't found a clear step by step tutorial on how to secure sessions/cookies. Here are snippets of my code, i'd like to know how i can improve on session security to prevent fixation/hijacking and cookie safety. This is snippets of code for the user login system.


if ($username==$dbusername&&$hashed_password==$dbpassword)


                        if($admin=='1') {
                            $_SESSION['admin'] = 1;

                        $_SESSION['logged-in'] = 1;

                       header( 'Location: ' . $return );



$time = time()-(60*60*24*365);

setcookie('username[0]', '',$time);
setcookie('username[1]', '',$time);

I call session_regenerate_id() on everypage, is that correct to stop session fixation/hijacking?

session_start(); session_regenerate_id(true);


session.use_trans_sid = 0
session.user_only_cookies = 1

Can you please tell me what i should do to improve on this? Examples would help greatly.

One obvious issue, is that you are storing the username and userid in the cookie. Are you sure that is necessary? Personally, I'd use a generated code, also stored in the user table, so you can use that to determine who it is.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.21 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.