Setting logged in SESSION data - security?

I'm wondering how secure the below code is:

if ($username == $user-&开发者_如何学Pythongt;username && $password == $user->password) {  
    $_SESSION['loggedIn'] = true;
    $_SESSION['userId'] = $user->userId;
}

Basically, would there be any way for someone to fake the SESSION variable (besides actually stealing a users cookie)?

Seems fine to me. Just don't store the password or sensitive data in the session in case someone does steal the session id. I believe most of the security risks take place in getting the password to the server securely.

Also, you should store your password hashed at least. Making it (assuming $user->password is hashed using sha1) sha1($password) == $user->password