PHP: Storing the logged in user

Question

When having user login to the site I need to somehow store the logged in user id so that my site can generate different content for different users.

Is it secure to save a user's id in a $_SESSION[] variable?

Is it possible for a user to change the $_SESSION[] data and pretend to be another user?

I use the id to check which data I should fetch from the database and to see which permissions the user has.

Answer 1

Best and accepted practice is to save the user id in the session.

The session is by default stored in /tmp as a file. It is not view able by the end user unless you have security issues such as directory traversal vulnerabilities. Most applications use $_SESSION as you are. If there where a wide spread weakness then major projects would be doing things differently. You don't have to worry about server-side Session value being obtained through a client-side exploit. Also keep in mind the simplicity of using the session as well. It makes data access to user specific data that you need to access constantly, standard and consistent throughout your application.