Dear Dare, I would recommend you to get the free copy of *chapter 10: Security from Zend Certification Study guide* by Ben Ramsey & Davey Shafik at www.zceguide.com
shorter tips: 1. You can apply session_regenerate_id() to prevent *session riding* or *session fixation* 2. You can keep $_SESSION['user_agent']=$_SERVER['HTTP_USER_AGENT'] and check for logged in user to prevent *session hijacking* 3. Cookie must be encrypted. 4. Filter All inputs and validate them 5. Escape all output 6. while filtering inputs use whitelist & blacklist method Regards Lenin http://twitter.com/nine_L
