This would depend entirely on how that variable makes it to the session and how well you’re managing session.

One case to always consider when dealing with web-site security and user credentials is the possibility of a user logging on to your site in a public environment and then walking away. How long will he stay logged in? How accessible is the sensitive information when already logged in?

If you have a relatively short session timeout and are making sure that you are managing what makes it into $_SESSION[‘user_id’] then this is a reasonable approach. It may be better to actually check the VALUE of what is in $_SESSION[‘user_id’] but that won’t be a huge improvement over what you currently have.

The main thing that I would recommend taking into account would be to require login credentials once more if a user ever wants to alter their account’s details / access overly sensitive data (you wouldn’t want a stranger changing your users’ login names would you?). While this may be a bit of a hassle for regular users, it definitely adds a good measure of security to your application.