Cover the security basics: "Regenerate the session ID on login, set httponly and secure flags, use SameSite=Lax, and store sessions in Redis for multi-server deployments. Never trust the session ID — it is a bearer token."
PHP sessions: a session ID is sent via cookie (PHPSESSID), the server stores data in files (by default) keyed by that ID. Security considerations: use session_regenerate_id() after login to prevent session fixation, set cookie flags (httponly, secure, samesite=Lax or Strict), configure session.cookie_lifetime and session.gc_maxlifetime appropriately, use a custom session handler (Redis, database) for multi-server setups, and never store sensitive data in session without encryption. Modern frameworks abstract this: Symfony uses its Session component, Laravel uses its session driver system. Strong candidates discuss: the session garbage collection mechanism, why file-based sessions break with load balancers, session locking and its performance impact, and token-based alternatives (JWT) for stateless APIs.
Tests understanding of PHP internals and web security. Candidates who do not know about session fixation or who use file sessions behind a load balancer will create security and reliability problems. Those who understand session handling build secure auth systems.