There are a few things you can do to make your sessions secure. You can randomly regenerate the id

if(rand(1,5)==1

{

session_regenerate_id(true);

}



You can store your sessions in a database

May be best to research this one. There are a few sites that can show you how.





You can set a encrypt session data with md5 or sha1(or any other hash you may know)

You can set and compare a session on every page so that if something has changed you can kill the session so the user can not view the page anymore( this is more for another user getting the session ID of someone else)



first you must set you info for each user that logs in

$_SESSION['info']=$inn['info'];

$_SESSION['hash']=md5('SOMETHING RANOM' . $inn['info'] . $_SERVER['REMOTE_ADDR']);



than on each page check it

if( !isset($_SESSION['hash']) ) {

header("Location: login.php");

exit;

}

elseif( md5(SOMETHING RANOM'. $_SESSION['inn'] . $_SERVER['REMOTE_ADDR']) <> $_SESSION['hash'] ) {

header("Location: login.php");

exit;

}





Some servers have it where viewers can look in the tmp directory this is a bad thing and opens you up for attack. All someone has to do is go to www.domain.com/tmp and they can see the session id and try to hijack it. most servers are moving away from the tmp folder I have noticed some web host that has not. So keep in mind your code is only as safe as your server.

What is a PHP Session?





PHP Sessions allow web pages to be treated as a group, allowing variables to be shared between different pages. One of the weaknesses of cookies is that the cookie is stored on the user's computer (and by user we mean the person with the browser visiting your web site). This provides the user the ability to access, view and modify that cookie for potentially nefarious purposes. PHP sessions, on the other hand, store only an ID cookie on the user's system which is used to reference the session file on the server. As such, the user has no access to the content of the session file, thereby providing a secure alternative to cookies. PHP sessions also work when the user has disabled the browser's cookie support. In this situation it includes the session ID information in the web page URLs.

[edit] Creating a PHP Session



PHP sessions are created using the session_start() function which should the first function call of the PHP script on your web page (i.e. before any output is written to the output stream).



The following example demonstrates the creation of a PHP session:




session_start();

?>

















[edit] Creating and Reading PHP Session Variables



Variables can be assigned to a session using the $_SESSION array. This is a global array that is accessible to all the pages on your web site. This is also an associative array (see PHP Arrays for details of using arrays in PHP) and as such it is possible to access array elements using the variable name as an index.



Session variables can be any type of data such as strings, numbers, arrays and objects.



Session variables can be defined using a number of mechanisms. Variables can be assigned directly to the $_SESSION array using the assignment operator and variable name:




$_SESSION['userName'] = 'JohnW';

?>



Another option is to use the PHP session_register() function. session_register() takes two arguments, the string representing the variable name, and the value to be assigned to the variable:




session_register('username', 'JohnW');

?>



Session variables are accessed by using the variable name as an index key into the $_SESSION array. The session_is_registered() function can also be used to make sure the variable exists before attempting to read the value (which is generally considered to be good practice). For example:




session_start();

?>












if (session_is_registered('userName')

{

$_SESSION['userName'] = 'Neil';

echo 'userName = ' . $_SESSION['userName'];

}

?>









The resulting output from the above page will read:



userName = Neil



The same PHP code to read the value can be used on any page on your web server to access the current value of the variable.

[edit] Writing PHP Session Data to a File



Session data only stays active on the web server until it expires or the session is deleted. Once deleted, all the data associated with the session is lost. A snapshot of the session data can, however, be taken at any time and written out to a file. Once saved, it can be reloaded when required.



To save a session state the session_encode() function is used combined the PHP file I/O functions (see PHP, Filesystems and File I/O for details of reading and writing files). The session_encode() function returns an encoded string containing the session data. Once this string has been obtained it can be written to a file:






$_SESSION['userName'] = 'JohnW';

$_SESSION['emailAddress'] = 'johnw@nospam.com';



$session_data = session_encode(); // Get the session data



$filehandle = fopen ('/tmp/php_session.txt', 'w+'); // open a file write session data



fwrite ($filehandle, $session_data); // write the session data to file



fclose ($filehandle);



?>



If you are interested in seeing what the encoded session data looks like you can load it into a text editor. The above example creates the following data in the file:



userName|s:5:"JohnW";emailAddress|s:16:"johnw@nospam.com";

[edit] Reading a Saved PHP Session



Once session data has been written to a file it can be read back in, decoded and applied to the current session. This is achieved using the session_decode() function:




session_start();

?>












$fileh

the two cookies and consultation variables might desire to be hacked, whether the former is way less complicated to do. A cookie is functional, for reoccuring visits. Eg: computerized login (as quickly as you %. something like, save me logged in forever). whether, somebody who's accustomed to what the content cloth and touch of the cookie sounds like, can create an comparable cookie with the neccessary concepts. I in many cases use consultation based login. do now no longer shop the password, in straight forward words the username indoors the consultation variable. And on each internet internet site I learn if the consultation variable includes the username, if now no longer I redirect to the login internet internet site. no might desire to envision with the database many cases. it may in straight forward words make adventure if the username/password might desire to be centers to changing very in many cases... which i'm assuming, isn't the case.