Shouldn't be able to spoof the session data. Sessions are stored on the server. As long as they don't have access to the server you should be good there. Some times it makes sense to store the session data in a database so that it is behind some extra security (a username and password) because on some servers--if they are shared servers--all the session data from all the sites using the server are stored in the same place. If you are on one of these shared servers you can use session_set_save_hanlder [us2.php.net]() to make a callback function to save and retrieve the session data from the database.

Also, if you are dealing with a very specific, important access situation you can always make the user re-authenticate with their username and password before the action is done. That way you can ensure that they know the credentials before any potentially damaging action has taken place.

On a final note you can also encrypt the session data using mcrypt [us2.php.net] or anything else that suits your needs and decrypt the data when you need to check the permissions.

Just some ideas to keep in mind when implementing a system like this.

P.S. If you are using Smarty it makes it real easy to disable options on a panel or something by just using Smarty conditionals. You would set access variables in a configuration file and then on the template check to see if the current member has the permission to view that option:

{if $access.delete}<show delete option>{/if}

Have fun... :)

I use the Template package that is built in with pear. From what I see it's almost the same as smarty, am I wrong? I just didn't think session variables were that secure because I thought a user could capture all of the session data if they had the right software. Am I wrong there too? Thanks for the input.