Session injection?

How should I host the id of the user on the session? just to insert the id? I mean (for example):

$_SESSION['id'] = 1;
开发者_Go百科

There isn't a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.

One more question about it - how can I check if user is logged in (with sessions)? I created a session:

$_SESSION['is_logged_in'] = true;

Again, can't the user just create a session which his name is 'is_logged_in' and his value is true? or just the server has a control about the value of the server?

---

All session variables in PHP are stored server side. The client stores a cookie that references which session should be used, and then the server looks up the values for the session. It is safe to store is_logged_in in your session as well as the user id.

What you should be aware of is if another user gets a hold of another user's session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.