State Management Sessions Cookies

Security Patterns for State Management

These patterns address common security vulnerabilities when managing state in web applications. Each pattern solves a specific problem with session and form handling.

1. CSRF Protection

Problem: Cross-Site Request Forgery attacks trick users into submitting forms to your site from malicious pages. Since cookies are sent automatically, the attacker's form submission looks legitimate.

Solution: Include a random token in each form that only your server knows. Validate the token on submission.

<form method="POST">
    <input type="hidden" name="csrf_token"
           value="<?= $_SESSION['csrf_token'] ?>">
    <!-- form fields -->
</form>
Try CSRF Demo

2. Flash Messages

Problem: After a form submission, you redirect the user (Post-Redirect-Get pattern). How do you show a success/error message on the redirected page?

Solution: Store the message in the session, display it once, then delete it immediately.

<?php
// After saving data
setFlash('success', 'Your changes have been saved!');
header('Location: /dashboard');

// On dashboard, message appears once, then disappears on refresh
?>
Try Flash Messages Demo

Pattern Summary

Pattern Threat Addressed Key Technique
CSRF Token Cross-site form submissions Hidden field + session validation
Flash Messages Post-Redirect-Get UX Session storage + immediate deletion
Session Regeneration Session fixation session_regenerate_id(true) on login
Secure Cookies Cookie theft, CSRF HttpOnly, Secure, SameSite flags

Universal Security Rules

  1. Never trust client data - Always validate server-side
  2. Always escape output - Use htmlspecialchars() to prevent XSS
  3. Use HTTPS everywhere - Protect data in transit
  4. Regenerate session IDs - On login and privilege changes
  5. Set cookie flags - HttpOnly, Secure, SameSite
  6. Implement CSRF protection - For all state-changing operations

Session Security Configuration

<?php
// Secure session configuration (call before session_start)
ini_set('session.cookie_httponly', 1);    // No JavaScript access
ini_set('session.cookie_secure', 1);       // HTTPS only
ini_set('session.cookie_samesite', 'Lax'); // CSRF protection
ini_set('session.use_strict_mode', 1);     // Reject uninitialized session IDs

session_start();

// ALWAYS regenerate session ID on privilege change
if ($loginSuccessful) {
    session_regenerate_id(true);  // true = delete old session
    $_SESSION['user_id'] = $userId;
}
?>

Back to State Management | Sessions Demo | JWT Demo