I have a PHP/LDAP authentication system that sets SESSION variables to indicate that a particular user has authenticated. Other SESSION variables are set as well (name, uid, groups, that sort of thing). Trouble is, I allow users to log into the system and host their own web pages. This means that a user can create a php file that sets the same SESSION variables and then go to my protected site and fool the authentication script. Clearly, I am doing something wrong. I would like to limit the ability of users to access SESSION - that would be the simplest method. Is there a way to do this or does somebody have a recommendation on the proper way to do this?