Home/ Questions/Q 6673133
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T03:35:30+00:00

I’m trying to get the php session cookie where the php session id is

  • 0

I’m trying to get the php session cookie where the php session id is stored to be secure(https) and http only.

$name = session_name();
setcookie($name, $_COOKIE[$name], 0, '/', 'domain.com, 1, 1);

I call the above code before session start. The problem is that it creates two cookies. A secure one the way I want it, and then it creates a regular cookie with no ssl or http-only. Both cookies have the same value.

Is there a way to tell php to create secure(ssl) and http-only session cookies?

Also, instead of making another question. Since we’re on the same topic… Can a user modify $_SESSION variables on their end? I know they can manipulate the session id on their end, but was wondering if $_SESSION is secure to store a userid which the end-user can’t modify on their will.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    PHP creates the cookie for you at the moment you call session_start(), that’s why.

    You can configure that cookie with the session_set_cookie_params function or inside your php.ini.

    session_set_cookie_params($lifetime = 0, $path = '/', $domain, $secure = true, $httponly = true);

    Just configure and remove your own setcookie call, it’s redundant.

    Can a user modify $_SESSION variables on their end?

    No, they can only edit the data in the cookie. That normally results in loosing the session (or getting the session of somebody else if they’re lucky).

    That’s why you need to ask again for the current password if a user want’s to change her/his password. Same for everything similar important.

    Also after a successful login or logout, change the session id:

    session_regenerate_id();

    for log-outs:

    session_regenerate_id(true);
    • 0