A) if you use session cookies, unless someone is actually on the network doing some packet sniffing and so forth (and what can you really do about that?) I believe it would be fairly secure, as long as you make sure its *your* session cookie, as there is no way to determine a session cookie from a cookie someoe wrote and stuck on their hardrive (afaik).

You might want to look into apache::session i believe is the module name.