Harry Fuecks' notes on PHP session security:

"[...] things to watch out for when using sessions for your sites login system;

• 1. Shared web servers
• 2. XSS exploits
• 3. Session IDs in URL
• 4. Session Fixation
• 5. Sniffing Packets
• 6. Cookies are not for session data"