how to secure my websites properly

[astricks]

i wanted to ask you how should i protect my scripts to prevent hacking to session's and cookies - and no, im not talking about the actual insert queries that requires addslashes and so on.

In my cookies i usually just include my password (encrypted) and my UserID - check them with a simple mysql query.
The sessions usually just approves that the user has logged in properly,therefore, has only one variable named ie "has_logged_in".

are ther any common mistakes that is hould look over?
another thing is, how should i use the session.id in order to check for approved login.

thanks, ben.

[wisewood]

I always check the input username and password against md5 hashed username & password in the database.

If they match, set $_SESSION[username] with the name the user input onto the form by using $_SESSION[username]=$_POST[username].

Then, i add the following to each page which requires protection.

if(!$_SESSION[username]) { echo "You need to login to access this page";}
else
{
// Rest of the page content here
}

[astricks]

i do the same things. i wanted to know if there are any other security holes that may appear (maybe there is some way to create sessions, dunno), and if there are, i should start using session id's in order to verify the users connection.
about cookies, well its actually the same because i only create the cookie and do the verification once (and the i just continue using sessions).