$_SESSION Variables

Not unless he/she is able to hijack your session by stealing the sessionID.
See also article the truth about sessions by Chris Shiflett.

Ronald

Cheers Ron,
I will have a read and get back if I have anymore questions.

Okay, read that and you'll see how to protect your sessions. Also pay attention to the fact that you could try a hijack using JavaScipt when sessions are stored in a cookie.
It is cumbersome, but using a database (like MySQL) to store your session data, would be more secure.

ronald

Besides fingerprinting the browser, I didn't find what I was looking for.
I can check it at home, but different tabs (not windows) in the browsers: do they each create a new session_id?
What about if I leave one website (not signing out) and just goto another website, it will still be the same session won't it?
That would mean that my session variables are still there and accessable on the new website?

Do you recommend storing the session id and browser in MySQL, and if the user session id and/or browser does not match then prompt for a password to overwrite that database values?

Sorry for all the questions, but I am finding too many holes which someone who knew what they were doing could get by.

I am now thinking that I have this whole session understanding wrong because of a very fundamental error. The session is given by the server, not the browser? So where are session id's stored whole you go to another site?

For example, how does it work when I am at one site with a set of variables (session_id_a) and then goto another site with another set of variables (session_id_b), and then go back to the original site and still have my original variables? Is it the browser that stores session_id_a --> site_1 and session_id_b --> site_2?

So does that mean to hijack a session, the attacker would need to wait until one is issued to a user, find out what that id is somehow and then submit that session_id as well as the checks that I have ($_SESSION['username'] and $_SESSION['password']) which cannot be found unless they can get my server to run a script which exposes the variables inside the session (is that hard)?