Session spoofing (PHP)

Question

I am coding a website in PHP that contains the boolean $_SESSION[\'logged_in\']. This is set to true when a username and password match are present

Answer 1

The only way I can see where this attack would be possible is if there is some other exploit in your code, or if they have access to your server (via another means). Of course, if they have access to your server, they have access to your database, sourcecode, probably web logs, possibly all raw internet traffic including passwords....