Important:

First of all, some important safety tips you should keep in mind:

• You should also read the http-only cookie and how to properly configure them using PHP .

  • You have to be careful with session_fixation and protect against it with session_regenerate_id . I also found that there are some interesting countermeasures on the session commit wikipedia .

Your questions:

Since this is a REST application, I will have to use cookies for the session management .. right?

using sessions will be safer (best), but of course there are many more session management solutions . But if you only use cookies (without php $_SESSION ), you should, of course, encrypt your cookie. But I would advise you to just use $ _SESSION.

What values ​​are stored in cookies?

You do not store anything in cookies. $_SESSION creates a cookie (automatically => you do not need to think about it) for you, which is unique. Everything that you put in $_SESSION is stored on the server so that the user cannot read this. You can store any information that you want to store in the session, but keep in mind that it is better to never store confidential data (contact numbers, credit card, passwords, etc.) in your application. I already reminded that your $ _SESSION is stored on the server, but a cookie that has a unique identifier to match the session stored on disk (or database) can be guessed (faked) .

How to check the session?

You verify the session by checking the information stored in the session. I assume that you store at least $_SESSION['id'] = $openid->identity; inside your session. Keep in mind that after a user logs into your site using openid, you must restore your session (id) to prevent the session from being committed .

How to log out?

you simply call session_destroy and all data stored inside the session will be deleted.

Hope this explains all your questions.

PS:

A session in a cookie jar gives you a basic introduction to sessions (although I don’t see mention of session fixation: $).