We will end this chapter by discussing some techniques to make user sessions in a web application more secure. Web application security is a broad and complicated topic, and beyond the scope of this book. There are numerous books and articles written on web security, which you should read. We will look at some practices that we can adopt at the application level to minimize the risk of user sessions being compromised.
Each session cookie issued by the application should have a low expiry time. Keeping the expiry time too long increases the risk of the session being compromised. However, when setting this value, you should be mindful about the activity of users on your website. If you make the expiry time too short, your users will be irritated, as they will be logged out while they are doing something important on your application. You can set the expiry time by either using the session_set_cookie_params()
function or...