This may seem like a stupid question but I just want to make sure my website is complete secure before launching it. Is it at all possible to artificially set sessions to gain access to certain parts of a website (yes I know sessions are set by the server and not client-side like cookies) I just want to make completely sure before going ahead with my website.
only when having access to scripts and their content, so if all the user input is verified it should be ok!
Well it depends on how you implemented the session part. Without seeing your code, it's impossible to tell. If you have some specific questions about parts of your code, you're gonna have to post it. Also, sessions are initiated by the server, but the user remains logged in by using a cookie that holds the session ID. So you also have to make sure your site is not vulnerable to XSS. Otherwise people might be able to steal the cookies and hijack the sessions.
My site isn't vulnerable to XSS I've checked that over well, also the cookies that make the user remain to be logged in are well encoded so I'm not really worried about that.
I just didn't know if you could somehow set sessions, which is what I asked. I didn't have a problem with the cookies but I wasn't sure if that was the only thing I needed to be worried about.
Well every time you call session_start() on a page, and a user visits it, and new session will be created for that user. So every user will have their own session. If you're asking if someone can just go an modify one's session, then, generally speaking, no. That's not (easily) possible. But then again it depends on the rest of your code and how you're handling certain situations. So all we can say is the following: If you're using sessions correctly, you're safe. If you messed up at some part, then god knows what can happen. Your question in general is not specific enough to give you a more precise answer. If you think you're handling everything correctly, go ahead and launch your site.
There are 2 ways you can store sessions: 1) URL 2) Cookies Most sites use cookies, which means that if you don't have cookies enabled you won't be able to carry the session and ultimately logging you out on each refresh. Regardless of either option used, to answer to your question, yes it is possible to hijack a session if you know the session id (you would just open the cookie editor, replace your current session (or pass it via the URL) with an admin session and you are logged in as an admin). A good mechanism to avoid session hijacking (isn't fool proof, but it works most of the times) is to associate the session id with the browser, ip, OS, etc.. and validating those settings on each load.