Current Location: Home> Latest Articles> How to Use session_set_cookie_params in PHP to Correctly Set Session Cookie Parameters?

How to Use session_set_cookie_params in PHP to Correctly Set Session Cookie Parameters?

M66 2025-06-12

Managing user sessions in PHP is one of the core aspects of building dynamic web applications. By default, PHP sessions use cookies to transfer the session ID between the client and the server. To enhance security, control session behavior, or comply with browser compatibility requirements, you can customize the session cookie parameters using the session_set_cookie_params() function. This article will detail how to use this function and its best practices.

1. Basic Purpose of session_set_cookie_params()

The session_set_cookie_params() function is used to set the session cookie parameters before calling session_start(). These parameters include:

  • lifetime: The cookie’s expiration time (in seconds). Setting it to 0 means the cookie will expire when the browser is closed.

  • path: The valid path for the cookie. The default is /.

  • domain: The valid domain for the cookie.

  • secure: A boolean value indicating whether the cookie should be transmitted only over HTTPS.

  • httponly: A boolean value indicating whether the cookie should be set as HttpOnly, preventing access through JavaScript.

Starting from PHP 7.3.0, you can also pass an associative array to set these parameters, which is more flexible and readable.

2. Basic Usage Example

Here is an example of setting cookie parameters using the traditional approach:

session_set_cookie_params(3600, "/", "m66.net", true, true); session_start();

In the above code, the cookie is set to expire in 1 hour, valid only for the m66.net domain and its sub-paths, requires HTTPS access, and cannot be accessed through JavaScript (for enhanced security).

3. Recommended Modern Approach (PHP 7.3 and Above)

For clearer code structure, it is recommended to set cookie parameters using an array:

session_set_cookie_params([ 'lifetime' => 3600, 'path' => '/', 'domain' => 'm66.net', 'secure' => true, 'httponly' => true, 'samesite' => 'Strict' ]); session_start();

Note: The samesite parameter helps prevent CSRF attacks. It can be set to 'Lax', 'Strict', or 'None'. When set to 'None', secure must be set to true.

4. Practical Application Recommendations

  1. Enable HTTPS: It is always recommended to use HTTPS and set secure to true to prevent the session ID from being intercepted by man-in-the-middle attacks.

  2. HttpOnly Protection Against XSS: Enabling httponly prevents JavaScript from accessing the cookie, reducing the risk of cross-site scripting (XSS) attacks.

  3. Set a Reasonable Expiration Time: It is not recommended to set a very long cookie lifetime. Generally, a few hours is a reasonable time frame.

  4. Properly Set Domain and Path: Ensure the domain and path are properly set to avoid cookie leakage to unrelated subdomains or paths.

5. Common Errors and Debugging Tips

  • Incorrect Order: You must call session_set_cookie_params() before calling session_start(). Otherwise, the settings will not take effect.

  • HTTPS Not Enabled: When using secure => true, the site must be accessed via HTTPS; otherwise, the browser will not send the cookie.

  • Browser Compatibility Issues: The samesite setting may not be supported in older browsers, so it is advisable to consider your target user base before using it.

6. Conclusion

Related