securing session id

I have built my first login system. The user enters a username and password and they are given a session id with their username and id.

This username and id is then used to customize the pages they see.

Every users username and id are basically public information, but the session id is only made by the system when they login.

QUESTION:

What are the security risks of using session id here where the contents are basically public but to get the session id you have to login?

Can someone fake the session id from the public id and username of someone else since that is all a session id contains here? is this easy to do?

Are their any common things to make i开发者_JAVA技巧t safer?

Php's own session function is very good, the session's information isn't stored with the user but on the server, and the session id is kind of like a password.

If you want to know about the security with sessions i highly recomend this video of a speaker at defcon 18.

Basically the session is safe enough, but if you know enough about the server and user you could hack it, but it's a long and hard process to get through and most systems doesnt give you information enough to hack the session.

Since the session ID is used to authenticate a user after the initial user authentication using user name and password, it’s the session ID that is the new authentication key and thus must be protected.

And as the range of possible session IDs is already known in most cases (PHP uses 128 bit, 160 bit, or other depending on the hash function) but the full range is not exploitable in a reasonable time, it is easier to do more adaptive attacks on sessions like Session Hijacking or Session Fixation. And there are well-known protection measurements against these attacks on sessions as well as developing guidelines.