// Created on savesnippets.com · https://savesnippets.com/sZRuUOQXmDiUF1
<?php
function startSecureSession(int $maxIdleSec = 1800): void {
    if (session_status() !== PHP_SESSION_NONE) return;

    session_set_cookie_params([
        'lifetime' => 0,
        'path'     => '/',
        'domain'   => '',
        'secure'   => !empty($_SERVER['HTTPS']),
        'httponly' => true,
        'samesite' => 'Strict',
    ]);
    session_name('app');
    session_start();

    if (isset($_SESSION['_last']) && time() - $_SESSION['_last'] > $maxIdleSec) {
        // Idle too long → kill the session, prevent fixation.
        session_unset(); session_destroy(); session_start();
    }
    $_SESSION['_last'] = time();
}

startSecureSession();