security - How safe are PHP session variables? -

i have login script verifies username/password against data in 'user' table. furthermore, have 'roles' table specifies access level of given user. assuming using safe login scripts, there security holes in performing additional query, upon successful login, against 'roles' table discover user's authorization level , storing session variable? idea on page mixed authority, query session variable discover logged in user's authorization level.

thanks.

sessions safer than, say, cookies. still possible steal session , hacker have total access whatever in session. ways avoid ip checking (which works pretty well, low fi , not reliable on own), , using nonce. typically nonce, have per-page "token" each page checks last page's nonce matches has stored.

in either security check, there loss of usability. if ip checking , user behind intranet firewall (or other situation causes this) doesn't hold steady ip user, have re-authenticate every time lose ip. nonce, fun "clicking cause page break" situation.

but cookie, hacker can steal session using simple xss techniques. if store user's session id cookie, vulnerable well. though session penetrable can server-level hack (which requires more sophisticated methods , amount of privilege, if server secure), still going need level of verification upon each script request. should not use cookies , ajax together, makes tad easier totally go town if cookie stolen, ajax requests may not security checks on each request. example, if page uses nonce, page never reloaded, script may checking match. , if cookie holding authentication method, can go town doing evilness using stolen cookie , ajax hole.