How secure are PHP sessions?

Question

I\'m primarily a C++ programmer, but I\'m trying to pick up some PHP.

Apparently the way to implement web user sessions is to store the user\'s login ID in a cookie

Answer 1

Answering this question needs 2 approaches:

1. PHP session IDs are hard enough to guess for most use cases. Not much harder or less hard than other widely used systems.

2. Trusting only a session cookie (and only the existance of a session cookie) seems not to go very far security-wise to me, no matter where this session cookie comes from - PHP or elsewhere.

So, in short: PHP sessions are as secure, as your use of them makes them be. This is true for any session-cookie-based system I know of.