Is this a safe use of Session Variables?

Question

I used $_SESSION[\'name\'] to handle data from page to page. I mainly used it to keep the user logged in between pages. Within every page, i check if $_SESSION[logged_in\']

Answer 1

That's pretty good, here are a few other tips for session management:

1. Do not accept session identifiers from GET/POST variables: Session identifiers in URL (query string, GET variables) or POST variables are not recommended as it simplifies this attack. It is easy to make links on forms which set GET/POST variables.

2. Regenerate the SID on each request: In PHP use session_regenerate_id(). Every time a user's access level changes, it is necessary to regenerate the session identifier. This means that although an attacker may trick a user into accepting a known SID, the SID will be invalid when the attacker attempts to re-use the SID.