Forgive me if this has been asked before, but I have searched this forum and can't find any detailed reference to the problem.

I'm making a site that requires users to login. The data that regular users can access isn't especially sensitive. Requiring them to login is more for marketing purposes than for security. So basically, it won't be a disaster if their session ID's are sniffed and someone logs in as them.

However, there are some users that will be able to upload/edit items on the site. They will also have to login, although with a seperate php script and differently named session variables. Their info is also stored in a different MySQL table.

The site will be hosted on a shared server, which probably increases vulnerability to attack, even if I do my best to limit the access that other hosting accounts have to my files.

My question is, how paranoid should I be? If power-users only login to add things, for example, once a week (as opposed to every day for regular users) what are the chances of a hacker sniffing out their session ID and using it to attack the site? More specifically, has this ever happened to anyone on this forum?

I don't want to spend a million unnecessary hours encoding all the session ID's and assigning random keys on each request to the server, unless I absolutely have to!

Thanks in advance for your advice!