The Truth about Sessions, the cover article I wrote for the inaugural issue of PHP Magazine (Digital Edition), is now freely available on my Web site at http://shiflett.org/articles/the-truth-about-sessions. I hope this provides a nice reference for session security in PHP as well as a good description of how session management works in general.
I'm also happy to announce Security Corner, my new monthly column on PHP security that debuted in the February edition of php|architect (released yesterday). The first column covers session fixation, a common session-based attack that previously lacked any good documentation or best practice recommendations for PHP developers. I hope to bring into focus an important topic each month, and I think Security Corner may prove to be a reference point for defending against many application-based attacks. Marco Tabini has graciously agreed to allow Security Corner articles to be made freely available from my Web site six months after publication. So, to get the latest Security Corner, you will need to subscribe to either the electronic or print edition.