This is the usual log-in code, some improvements can be made to make it harder to break. First, you can do a checksum with the username and the time of the log in or alternatively, a predefined string (or a salt), and store it in the session, and compare it.

So when the user log in:

// not the most secure hash!
$_SESSION['checksum'] = md5($_SESSION['username'].$salt); 

And before entering a sensitive area:

if (md5($_SESSION['username'].$salt) != $_SESSION['checksum'])
{
  handleSessionError();
}

By default, sessions are often store as files on the server side, and a cookie is put on the user's browser to remember which file to refer to. When it comes to session hacking, somehow the hacker retrieve enough information to duplicate the log-in or managed to change the session data, by using information from the cookie.

You could code your own session handling using databases for added security. Some stricter CMS, like Joomla, also logs the IP. However, this cause problems for people using certain ISP

This is ridiculous.

Session hijacking occurs when (usually through a cross site scripting attack) someone intercepts your sessionId (which is a cookie automatically sent to the web server by a browser).

Someone has posted this for example:

So when the user log in:

// not the most secure hash! $_SESSION['checksum'] = md5($_SESSION['username'].$salt);

And before entering a sensitive area:

if (md5($_SESSION['username'].$salt) != $_SESSION['checksum']) {
handleSessionError(); }

Lets go through what is wrong with this

1. Salts - Not wrong, but pointless. No one is cracking your damn md5, who cares if it is salted
2. comparing the md5 of a SESSION variable with the md5 of the same variable stored in the SESSION - you're comparing session to session. If the thing is hijacked this will do nothing.

$_SESSION['logged_in'] = 1;
$_SESSION['username']  = $username; // user's name
$_SESSION['hash']      = md5($YOUR_SALT.$username.$_SERVER['HTTP_USER_AGENT']);

// user's name hashed to avoid manipulation

Avoid manipulation by whom? magical session faeries? Your session variables will not be modified unless your server is compromised. The hash is only really there to nicely condense your string into a 48 character string (user agents can get a bit long).

At least however we're now checking some client data instead of checking SESSION to SESSION data, they've checked the HTTP_USER_AGENT (which is a string identifying the browser), this will probably be more than enough to protect you but you have to realise if the person has already taken your sessionId in someway, chances are you've also sent a request to the bad guys server and given the bad guy your user agent, so a smart hacker would spoof your user agent and defeat this protection.

Which is were you get to the sad truth.

As soon as your session ID is compromised, you're gone. You can check the remote address of the request and make sure that stays the same in all requests ( as I did ) and that'll work perfectly for 99% of your client base. Then one day you'll get a call from a user who uses a network with load balanced proxy servers, requests will be coming out from here through a group of different IPs (sometimes even on the wrong network) and he'll be losing his session left right and centre.

You can steal sessions via javascript (XSS->crossside scripting attack).. You should always use a salted MD5 Hash to secure your session.

To avoid session hijacking, you should put the user agent

$_SERVER['HTTP_USER_AGENT']

into the hash as well.

In your example:

$_SESSION['logged_in'] = 1;
$_SESSION['username']  = $username; // user's name
$_SESSION['hash']      = md5($YOUR_SALT.$username.$_SERVER['HTTP_USER_AGENT']); // user's name hashed to avoid manipulation

Before using the session, make sure it uses the correct hash:

if (!$_SESSION['hash']==md5($YOUR_SALT.$username.$_SERVER['HTTP_USER_AGENT'])){
  die ('session hash not corrected')
}