or is it easy to manipulate the session data? It is not stored as cookies, just a php session using $_SESSION['loggedin'] = 'yes' for example Thanks!
session data can't be manipulated from browser as the session is handled by the php which is server side script. So, unless some one get access to your php page he/she will not able to make any changes.
As long as the session is not passed in the browser url, which was the standard about 10 years ago, the user cannot directly manipulate session data. The actual data in a session is stored in a temporary file on the server. Only the server can modify the user's session data. This doesn't mean that it is 100% full proof. A session still uses a cookie on the client's computer to reference the session id on the server. If a malicious user was somehow able to steal a real user's session cookie, they could theoretically hijack an active session. This is why session cookies should typically expire and not be persistant if security is the main concern. There are also ways to detect whether the user's browser/OS/tab/window etc.. has changed, which would unvalidate a session. However, for most usage it's generally acceptable to use a standard session to maintain an authenticated user.
In general practice its quit normal to use a standard session to maintain an authenticated user. Since actual data in a session is stored in a temporary file on the server and Only the server can modify the user's session data.