How to prevent session spoofing and session hijacking?

[ebol4]

I'm making a simple login system with MySQL and PHP (very simple, I'm just starting with PHP). The MySQL portion is done, but I need to ensure only people who are logged in can see certain content.

 

To check if people are logged in, my website checks that they have the $_SESSION['user'] variable set. If it is set, then it lets them continue through the website, if not, it tells them to login. Is that enough security, or can people simply inject a session cookie into their browser to spoof that they are logged in?

 

My idea was to generate a session key cookie when they login (just a random string of letters and numbers) and store that in the database, then on every page, check to make sure their session key is the same thing that's in the database. Is this necessary? It seems expensive.

[ebol4]

Then again though, even if I did use my solution, it's still vulnerable to XSS session hijacking. I could check the user-agent, but if the attacker has the same user-agent, it'd still let the session be hijacked. If I checked the IP, people who use proxies that change IP's based on server-load would have to keep logging in.

[ebol4]

I guess I could use user agent combined with screen resolution. Screen resolution requires javascript though, so it'll just be a backup in case the useragent suddenly changes. Is there a better way to defend against hijacking?