Creating a secure login using sessions and cookies in PHP

Question

I am making a login script that I would like to be as secure as possible. Problem is, security seems to be a never ending battle. So essentially, I am looking for suggestion

Answer 1

I use a cookie based method (using setcookie function) but ....

session_start();
...
if(check_login($_POST['user_name'],$_POST['password'])){
   //Primary key of this user
   $_SESSION['user_id']=get_user_id($_POST['user_name']);
   $_SESSION['logged_id']=True;
}

...these methods are wrooooong !!!!

I crack my website with an attack based on the cookie.

1. I used cookie option of the WebCruiser vulnerability scanner, so I get my cookie after login.
2. Then I changed a simply value on cookie
3. Then I clicked save cookie.
4. At this point I clicked on webbrowser see on the left panel then I clicked right then I clicked on refresh page, so I got my admin page without using the login page with user and password.

So if someone push you a virus to read the cookie history of IE or Firefox, you'll be happy to find out your admin user and pass can be used by others.

So how to fix the problem? Simple: combine the cookie with session server or session's cookie with sessions server, or session with file session, or cookie with file session.... will be secure but slow :((((