PHP Sessions

[xbennx () hotmail co uk]

I've posted on this topic before but I still have some unanswered questions...

I keep hearing a lot about PHP session ID's and that an attacker can easily recreate a valid session id and log in as 
another user. Of course this is dependent on the way the system works and whats used to generate the session id. This I 
understand.

What I fail to understand is why people use session ID's and pass them via the query string at all? On a site that I 
maintain, I store the session ID in a session variable and then check that rather than a session ID passed through the 
query string. This way the user cannot modify the session ID and therefore only valid sessions are accepted.

Am I missing something here? Is there a way for a malicious user to edit session variables?

Any comments will be appreciated

Thanks,

Benn

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------