How PHP can safely determine if a user is logged in

How PHP can safely determine if a user is logged in

It used to be just a place to put username in session and then need permission to determine if username exists.

But what if the hacker gets the session ID E and forges the commit to the server?

Please tell the great God how to be able to safely verify that the user is logged in and put the session into MySQL?

------Solution--------------------
You can keep the user's login IP address at the same time in the session, or log in to the location.
The session ID is invalid as long as the IP address changes.
------Solution--------------------
HTTPS prevents plaintext account passwords and Session-cookie from being stolen.

As far as cookies are directly stolen from the computer, there is nothing to do with them.

In addition, should be logged in the database to determine user rights and records in the session, and then do not check the database authentication permissions, because the session is the service side maintenance, is safe and reliable, but the cookie can be taken to take.
------Solution--------------------
Session test. Enforces the use of SSL.
------Solution--------------------
If the cookie is controlled, it means that the other person's computer is controlled, so the Trojan will sniff his password or something is already very simple. So you don't have to worry about it ...


------Solution--------------------
Explore

You can keep the user's login IP address at the same time in the session, or log in to the location.
The session ID is invalid as long as the IP address changes.

