Session spoofing (PHP)

Question

I am coding a website in PHP that contains the boolean $_SESSION[\'logged_in\']. This is set to true when a username and password match are present

Answer 1

The most common problem encountered in the domain of sessions is Session Hijacking. This is due to the fact that sessions are associated with a session-parameter. This parameter needs to be supplied by the user everytime when he sends a Request to the server. As you can imagine if someone is able to guess or retrieve the parameter, they should they can 'hijack' the session.

Edit: For security measures against it take a look at the post of Eugen Reck.