I just thought of something about securing sessions, and it's bugging me. So could someone help me figure this out?
Alright, let me explain how I think of it. (don't worry, I'll get to the point in a minute)
$_SESSION['login'] = false;
if($_SESSION['login'] === false)
// execute login code . . .
// if the user had logged in successfully
if($success === true)
echo "Successfully logged in.";
$_SESSION['login'] = true;
$_SESSION['username'] = $_POST['username'];
// remember, I just wrote up an example,
// and everything would be filtered and sanitized
// if this were production code
if($_SESSION['login'] === true)
// get database user information where username is $_SESSION['username'].
// also, the database table: users, would have unique usernames,
// they can't be the same.
The only piece of the session that the user has in their browser is the Session ID in the cookie. Period.
Users cannot view or edit session data locally, it's all stored on the server.
Modern PHP's session generation is fairly solid as well, making it very difficult for an outside entity to guess a valid session ID, and if you're using SSL [which, in this day and age, you should be] it's nigh-impossible for someone to steal Session cookies in-transit.