I've never used PHP sessions, but AFAIK it should be impossible for the user to tweak the data you store in them. However, the user could send the wrong session ID and hijack somebody else's session. If you force cookie usage this is harder, but still possible.

For more security, use SSL.

BTW I really wouldn't worry about database load unless you anticipate having a seriously high hit rate on your site...

Hi,

To be sure, nothing is 'safe' on the web. As gfoot says, if you need security, use SSL.

Otherwise, using a db or sessions are as 'safe' as each other. Both methods store the data in folders on the server.

Paul

really

im just wondering becuase can't a user go something like this and change their user level because its just in a session

http://www.domain.com/index.php?user_level=6

and then that would make their user level 6

No - that value is only available through $REQUEST and $GET, if you're dragging their user level from a database and essentially caching in it $_SESSION['level'] then the only thing that can change that is your script setting the value explicitly.

Even if you've got register globals on (not the best idea) and in the script you have a variable called $userLevel and in the script say

$userLevel = $_SESSION['leve'];

If they've put in the url the variable with that name it will be overwritten by your script version.

The point is that, in the end, the weaknesses of both are exposed on the web, whatever those weaknesses are.

Suppose you want to check a user/password combination. Sending the data over http is insecure whatever method you use to check the data (sessions or db).

Paul