Hey im still a PHP novice and I have set up a basic members area. I just want to know how secure my script is. From what I have read $_SESSIONS is secure but im wonderin how secure. After I check there username and password against the database i register a session.

session_register("loggedin");
$_SESSION['loggedin'] = "true";

Then on the pages I want only the members to be able to view I start them off with the if statement


if(!$_SESSION['loggedin']){
header("Location: redirect.php?action=not-logged-in");
}


Is this a secure way of doing things? Or can $_SESSIONS be faked like $_POST, $_GET, and $_COOKIE. Thanks for any help.

They can't be faked, but they can be hijacked. Basically, SESSIONs are variables stored on the server, and a single Cookie is stored on the user's computer with the ID of their SESSION. PHP brings up their SESSION variables using the ID in that Cookie.

If the user knew the ID of someone else's SESSION then yes, they could modify the cookie and replace the existing ID with the other person's. However, it wouldn't be easy to obtain this ID since they'd have to pretty much just ask the person for it.

In short... what you're doing is perfectly safe.

Awesome thanks for the input

From what I have read $_SESSIONS is secure but im wonderin how secure.If you are on a shared server anything you store in the session can be read by every other user of that server.