nojobsoicodeforfunIf you're handling PHP sessions, don't ignore this:
`lifetime` → how long the session lives
`domain` → who can use it
`path` → where it applies
`secure` → HTTPS only
`httponly` → out of JS reach
`samesite` → CSRF defense
small details, big differences.
