before_destroy and sessions

Justin Skolnick wrote:

(Semi-newbie.) I want to ensure a user's able to destroy only his own
objects. I've set session info at login:

  session[:user_id] = user.id

Is the session cookie secure? How easy is it to forge a sessionn with
someone else's user.id?

--Dean