It all depends on what you mean by “security”. There is no abstract notion of “being secure”. You can only be secure against specific threats. (This is called your “threat model”.) If you don’t say what you want to be secure against, it’s impossible to say whether your solution is good or not. There’s certainly no guarantee that zombies won’t come and eat your site users when they log in to your site!

That said, session variables are inaccessible through the web server, so they form part of the opaque state of your web application which the user cannot see or exploit directly.

On the other hand, there are numerous avenues of attack that allow for leaking, stealing or abuse: If the session cookie is stolen, someone else can take over the session (and perhaps launch the nuke); this is an entirely common Starbucks-type scenario. Another vulnerability lies on the server itself: If the session data is stored in a file that is readable by other users, say on a shared host, then it is possible that others may obtain the session ID and the session data behind your back, by reading them directly from the server’s disk.

It all depends! Probably best not to write your nuke strike management app in PHP on a shared host…