$_SESSION in PHP is secure, but of course if is only as secure as your application makes it. The session variables / parameters are stored at the server level, with the user given a pseudorandom string (“session ID”) for them to identify themselves with. The weakness is if that string is intercepted by an attacker, the attacker can then pretend to be that user.
Security Recommendations / Best practice
Look through “Session Management Basics” in the PHP manual.
Always use HTTPS (to attackers from reading the session ID cookie.
- Rejects uninitialized session IDs
- Ensures any sessions created are actually valid, so you can trust a prefix (eg, if the prefix is $userId-)
Enable sessions.use_only_cookies and disable session.use_trans_sid
- Avoids user sharing session ID accidentally by sharing a URL with the session ID in it
- Prevents the session ID from appearing in a Referer header