PHP会话不安全? 需要另一种方法

So I've been told that this method is not secure, as people can fake sessions and use it's variables.
Here is a small part of my script:

<div class="panel-body text-center">
    <?php
        if(!isset($_SESSION['steamid'])) {
            steamlogin(); //login button
        }
        else
        {
            include ('steamauth/userInfo.php');
            include ('db.php');
            $mysqli = mysqli_query($db,"UPDATE `users_steam` SET name='".$steamprofile['personaname']."', avatar='".$steamprofile['avatarfull']."' lastseen='".time()."' WHERE steamid='".$_SESSION["steamid"]."'");

            echo "<img class='img-responsive center-block rounded' src='".$steamprofile['avatarmedium']."' title='' alt='' /></img><br>"; // Display their avatar!
            echo "<span>".$steamprofile['personaname']."</span>";
            logoutbutton();
        }
    ?>
</div>

If the user is not logged in, the login button is displayed. If opposite, then I display his avatar and name, and also update my database.
$_SESSION['steamid'] variable cointains user STEAM ID, which is retrieved when user logs in through steam. Is there any other way than $_SESSION variables to contain this ID and use it further in my website?
Thanks

You can indeed steal sessions but you have to understand that to do that, you'd first have to steal the cookie containing the session ID from a client, which is pretty hard.

Anyways, some things to make it more secure are:

  • Use SSL, it encrypts everything including the session cookie, makes it impossible to steal trough traffic monitoring.
  • Use multiple criteria when verifying a session cookie, not just the ID. Check for ip address, browser, whatever you can think of
  • Set an aggressive expiration time on the cookie and immediately invalidate it if one of the criteria from above doesn't match.
  • Each time a user visits your page, create a new session and transfer the data from the old session before destroying it. Make sure to generate a different session ID as well and to store it in the cookie.

There's no such thing as absolute security when it comes to web development. You have to accept the fact that an infected or monitored user can be impersonated no matter what you do. The only really secure thing we have right now is SMS tokens, which might be an inconvenience on a smaller website. The most you can do it make it as hard as possible to do it.

To be sure that your page is secure, you should store a session variable like this :

if( $_SESSION['logged_in'] )
{
     // your Code
}

that means only the logged-in user can see.

Now for faking session variables, it is not possible. On the top of that Session variables are not stored on the client's computer, they are only stored on the server. All that the client's machine gets is the sessionID which is usually stored in a cookie.