Developing a secure PHP login and authentication strategy

Question

I\'m developing a login and authentication system for a new PHP site and have been reading up on the various attacks and vulnerabilities. However, it\'s a bit confusing, so

Answer 1

Most sites just use the PHP session; the session data ($_SESSION) is in a file on your server. All that's sent to the browser is a session ID. Be sure to regenerate the session each request (session_regenerate_id). You don't need to be sending two cookies or anything.

This is less vulnerable to session hijacking as every request is a new ID, so an old one intercepted by an attacker is useless.

The best solution, obviously, would be to use SSL throughout the entire session.