User login session variable. Is it possible to spoof session variable? PHP

Question

When user logs in I use the following strategy to authenticate user:

1. Username and Password are present in database along with unique Token and Session Identifier
2. Set session variable $_SESSION['logged_in'] = true if above returns true
3. On every page (basecontroller) checks if ($_SESSION['logged_in'] > 0) otherwise redirects to login page.

Is it possible that a hacker might somehow set $_SESSION['logged_in'] = true; ? Do I have a security issue with the above strategy?

Please give me an article or anything that can help me make it more secure.

Answer 1

Sessions are stored on the server so it is impossible for a user to modify anything within the session unless he breaks into your server - in that case he could obviously run $_SESSION['logged_in'] = true; or perform anything else circumventing whatever security measures you have in your code.

The only thing stored on the client side is the session ID cookie. This is a random 32-character hash that does not contain any data.