are session safe?

Hello, I've heard an awful lot about login systems that use sessions being vulnerable to XSS.
As the user can change sessions, if the session was storing the username/id of the person logged in, could they change it to access other peoples accounts?
if so how can this be fixed? or is there another way besides sessions?
thanks guyssssss

You could store a random string in the session aswell as the username and update the database for the user when they log in. Then on every page check that the username and the key thing match... That's what I do anyways

PHP: Select all

$key = substr(md5(rand(0, 1000)), rand(0, 27), 5); 

This is something simple to create a key and there's like 27,000 possibilities
It probably won't take long to go through all 27,000 with a program. But the hacker will have to know how the key is generated. Use you imagination

could use salt or something i guess.
could you show me an example of your login script?
is it something like:

PHP: Select all

   $key = substr(md5(rand(0, 1000)), rand(0, 27), 5);
$username = $mysqlquery;
$_SESSION['user'] = $username.$key;
$update = "update set key='$key' where username='$username'"; 

Yeah, close.
But instead of

PHP: Select all

$_SESSION['user'] = $username.$key; 

Set them seperately in the session like this...

PHP: Select all

$_SESSION['user'] = $username;
$_SESSION['key'] = $key; 

Then you don't have to seperate the joint strings when checking

ahh right thanks

No worries, glad to help

are there any other methods or things to add to this one?

Wow... Appears my way of stopping illegitimate users is just as bad as storing just the username.

Haha... Oh dear... Read this... There's a bit on session hijacking
http://www.roscripts.com/Security_in...tions-174.html

apparently storing the users user-agent on log in is a good way as well. (on each page match the user-agent on record with the one sent on the original login. Would take ages to hit a match by brute force!!)

Also regenerating the session id on login.