I would like to hear your opinion on whether it's secure to use php sessions, for authentication in something like a chat system. I personally believe that it would be better to write a db based mechanism instead.
how would you want it to be session based only?
the login and password (or whatever) you store in a session, yes. but you need to compare it to some other values (ie. db, text file, cookie)...
This topic has been covered extensively. Search the forums to find some really nice threads on PHP session security and the different ways to approach it.
I did not mean storing passwords in session variables. I meant compating the password the user entered with the one in the db, and then if they matched registering a session. That way you could check whether the session is registered at each user action, e.g. posting in a forum.