is it secutre

Anon

after checking user login/password in case of successful validation we create instance of something like this:

class User {
var $id;
var $some_user's_data

function User ($in){
$this->id = $in['user_id'];//which we use to differentiate users
$this->$some_user's_date = $in['some data'];
}

}

//in login.php in case of successful login

session_start();
session_register("user");
$user = new User($in);

//in any other script to authenticate user will do: session_start();

if ($user->id) {
//we are authenticated
} else {
//we are not authenticated
}

So. Actually authentication is based upon detecting if a user have valid PHPSESSID which maps to proper class structure on the server.
What'd you think?

Anon

It's probably as secure as you are going to get. The PHPSESSID is generated with a fairly good algorythm to keep people from guessing what the next ID is going to be. And thats the only way someone can hijack a session and spoof being logged into your system. You could add some protections like attaching the IP address of where the user is comming from to the $user object and valiadte that as well, then if someone hikacks the session they are going to need to spoof the IP address also. This isn't impossible to do, but it adds another level of protection.