I have edited php scripts in the past, but this last month has been my first time building (trying to build) a robust application for my website. So far, no one other then me has been testing my application. It is no where near being finished and I have more reading about security before I would enter it into beta stage and let others test it.

I started using sessions when I started requiring users to be logged in on the application pages. The thing is, all I do is start the session using is a simple session functions:

session_start();
if (!isset($_SESSION['SESSION'])) require ( "include/session_init.php");
if ($_SESSION['LOGGEDIN']!= true) {
header("Location: login.php");
exit;
}

And my session_init page just has a few things that I use throughout my application so I store them and use those varibles. Such as:
$_SESSION['LOGGEDIN'] = "";
$_SESSION['USERID'] = "";
$_SESSION['MNAME'] = "";
$_SESSION['EMAIL'] = "";
$_SESSION['SESSION'] = true;

That is all I do and it seems to work for me. But after reading some pages about session ids and using cookies, I am a little lost. Should I be setting cookies or using the session id in some way? I never call the SID or even use it.
Should I be using it? Should I be checking the SID of my pages or storing it?

After some checking on my local files, I see my application must set a cookie by it's self. I deleted the cookie and of course I was logged out. So it seems it is setting a cookie without me even telling it to do so.

What all should I be doing with sessions? Or a better question may be, what would be good common practice when using sessions?

Thanks,
Mike