Hi Wildhoney, I must praise you for writing such a brilliant tutorial, this helped me understand sessions alot more. This is the only detailed, understandable sessions tutorial I have read so far. There is only one thing which confuses me, and its about hijacking sessions.

This is how I setup a website im making:

Upon logging in, a session starts and defines $_SESSION['users_id'] = $users_id

($users_id being set after all the SQL queries etc)

This is then passed around the pages to confirm the current user.

Now, upon checking my local cookies - I do not see any text stating "users_id" therefore it would be hard to find the id in the text.

Due to being hard to find could it help with security?

I have the feeling it really doesn't help with security - and now have thought up the more standard sessions method which is:

Create a table in a database of choice,

Name: users_sessions
Column1: session_id
Column2: users_id

I'm sure you can see where i'm going with this.

The user now logs in, and the session id is stored in the table, then to check which user is logged in, I check the $_SESSION['session_id'] against the database and get the users_id to gather the correct data from the users table.

Is it just as easy for them to hijack the session id as it is to hijack the users id? I know this would avoid them hijacking someone elses session WITHOUT getting the session id from them, but if someone passed their session ID onto them - then it defeats the point of adding more functionality.

To be honest, the whole security criteria of PHP worries me as I don't have mass amounts of knowledge to do with sessions and cookies.

What could you suggest?

Once again - thanks for the brilliant tutorial,

Adam.