I'm wondering how secure the below code is:
if ($username == $user-username && $password == $user->password) {
$_SESSION['loggedIn'] = true;
$_SESSION['user_id'] = $user->userId;
}
Basically, would there be any way for someone to fake the SESSION variable (besides actually stealing a users cookie)?
Seems fine to me. Just don't store the password or sensitive data in the session in case someone does steal the session id. I believe most of the security risks take place in getting the password to the server securely.
Also, you should store your password hashed at least. Making it (assuming $user->password is hashed using sha1) sha1($password) == $user->password