Session spoofing (PHP)

Question

I am coding a website in PHP that contains the boolean $_SESSION[\'logged_in\']. This is set to true when a username and password match are present

Answer 1

It is not possible for anyone but your code to manipulate values in a session. For someone to bypass that, he'd have to have permission to run code on the server or exploit a security hole in your code or the server (either way a security exploit). If a user is able to do that, he probably doesn't need to bother with fiddling with session values, since he can do virtually anything else on the server directly as well.