How secure are PHP sessions?

Question

I\'m primarily a C++ programmer, but I\'m trying to pick up some PHP.

Apparently the way to implement web user sessions is to store the user\'s login ID in a cookie

Answer 1

If do this:

$_SESSION['user'] = $username;

Then $username will not be directly stored in a cookie. Instead a unique session id will be generated and stored inside a cookie.

The info that you store in $_SESSION is only stored server side and never sent to the client. On subsequent request by the client, the server will load the session data by the id stored in the cookie when you do session_start().

It relatively secure. The only thing that can happen is that somebody could intercept the session id and thus steal the real users session. HTTPS can prevent that from happening though.