Sessions
Sessions are a way to preserve data across subsequent page loads. They are a fundamental element in a web application design. Sessions are a building block for functionality like logins and shopping carts.
Sessions must have a dedicated storage location and be available to the web application. WHMCS supports session storage for either file-backed and database-backed sessions. The most common choice is file sessions, but database sessions can be advantageous for some environments.
Session Cookies
WHMCS uses cookies to maintain session state and store small amounts of data on visitors’ computers or devices. Cookies are small text files that most websites on the internet store on your device and use to improve your overall experience.
WHMCS uses two types of cookie:
- Session cookies expire when you close your browser. They do not remain on your computer.
- Persistent cookies stay on your computer for a defined period of time.
For example, WHMCS creates the following cookies when you use the WHMCS Client Area:
| Cookie | Description | Expiration |
|---|---|---|
WHMCSInstanceID | This is the cookie that most PHP-based websites use. This stores the unique session ID for each visitor and enables variables to pass between page loads. The cookie only contains a reference to a session on the server. The user’s browser won’t store any personal information. | Expires when the browser closes. |
WHMCSAffiliateID | WHMCS uses this cookie to store the affiliate ID when an affiliate refers a customer to you. If the customer places an order within the next 90 days following the referral, the affiliate receives credit for it. It is a persistent cookie. | 90 days |
WHMCSLinkID | WHMCS only sets this cookie if you use link tracking. It stores the link that the visitor followed to get to your website, and the system uses it to associate orders with a link to be able to provide conversion rate statistics. It is a persistent cookie. | Persistent |
WHMCSUser | WHMCS uses this cookie if a client chose to have the system remember their details, ensuring that they don’t need to log in multiple times. It is persistent and lasts for 365 days or until logout. | 365 days or logout |
File Sessions
File sessions are the most common choice since it is the default for PHP environments. They require little to no configuration, either by a system administrator or a web application, in order for session utility to function immediately. File-backed sessions have historically been the first and best choice for single-instance web applications.
When you use file-backed sessions, web applications write a file to a configured directory for each unique visitor. If the server that hosts your WHMCS installation is shared with other applications or individuals, it is possible that those applications or individuals can read and write to that directory as well. Sharing this directory introduces a security risk since sessions may contain sensitive information. It is very common for applications to implicitly trust the information within these files as if only it would have access to them.
Consult with your system administrator, web server documentation, or server’s control panel documentation for more guidance on the evaluation and mitigation of any risks for your environment.
Configuration
In WHMCS, using the default PHP file session storage doesn’t require configuration.
Database Sessions
Database sessions are also a common choice for PHP environments. A web application must provide integration code in order to store session data in a database.
Using a system service, such as a database server, has the benefit of supporting multiple application instances, which may be an important part of a high-availability or scalable infrastructure design. Using database stored sessions mitigates the inherent risks of file-backed session permissions. Some web applications allow the configuration of a dedicated database just for session data. This may help reduce the impact in the event of a SQL injection attack.
Configuration
To use database session storage, set the $session_handling value in the configuration.php file:
$session_handling = 'database';
The same database that other configuration values itemize will store the session data.
configuration.php file, see The configuration.php File.Advanced Configuration
If you need them, advanced configuration options are possible by specifying a more elaborate value for the $session_handling setting.
For example, advanced configurations might use the following structure and key-and-value pairs:
$session_handling = [
'serviceProvider' => '\\WHMCS\\Session\\Database\\ServiceProvider', // Do not alter this line
'database' => [
'lifetime' => 24 * 60, // Provide a session lifetime in minutes, default is 1440 (1 day)
'connectionAlias' => 'sessionsDbConnection', // Provide an internal handler name other than "default"
'config' => [
'host' => 'my.host.local', // Provide the hostname or IP of the database server
'database' => 'db_name', // Provide the name of the database to use
'username' => 'db_user', // Provide the username for authentication at the server
'password' => 'db_password', // Provide the password for authentication at the server
],
'table' => 'user_sessions', // Provide the name of the table; see tblsessions in WHMCS for schema
'logErrors' => false, // Whether session SQL errors should be recorded to the activity log when possible
],
];
WHMCS does not manage tables or schema outside the core database. If you provide an advanced configuration, you will need to ensure that the named database has the appropriate target table and schema. You can find a copy of the appropriate table schema is in the resources/sql/install/tblsessions.schema.sql file.
Using a Remote Database
If you wish to use a remote database for the management of sessions, you will need to create the tblsessions table manually. First, upload the tblsessions.schema.sql file to the remote server at resources/sql/install/tblsessions.schema.sql. Then, import the contents of that file to your database by running the following command:
mysql -u root [database_name] < /path/to/tblsessions.schema.sql
This commands requires root access to the server.
Last modified: 2025 April 3