Well, you've got the very basics. The values in the session can't be spoofed easily by an arbitrary cracker. If this is on shared hosting, the session data files may be subject to modification by other clients on the server. If not, then it's quite unlikely to have anyone altering your session data.
Unfortunately security is a huge topic. You should consider using SSL/TLS. You should protect from session fixation and mitigate session hijacking attacks. Protect the session storage well, and even if you do all this the system may be cracked another way (for example, getting the session identifier via XSS, or using SQL injection to crack into the admin system) among many other things.
One hole somewhere in your application could give an access to your admin system. It's not just about the back-end. It's about the entire software, server, users, configuration, transport.
We have no idea what are you doing this for. If you are creating a site with a high value, then Benjamin is right about you not being qualified. On the other hand, if this is your own personal home page or just some simple project like a school project, it may not even hurt yourself if the code is insecure.
wurdup wrote:Do you say that to every beginner on here as your comments aren't helpful.
Maybe they were helpful, maybe they weren't, but at least we have now considered that aspect and you know not to code for a bank so let's not start a war.
