I've been using cookie based user autentification system for a while, and now decided to switch to sessions.
Actually I don't know anything about what I'm doing

Basically the question is - is this safe:

PHP Code:

<?php
session_start();
header("Cache-control: private");
if (@$_SESSION["logged"]) {
    if (isset($_GET['logout']) && $_GET['logout'] == "true") {
        session_destroy();    
        header('Location: file.php');
    }
?>
<h2>CONTENT HERE</h2>
stuff
stuff
stuff
<a href="?logout=true">logout</a>
<?php
} elseif (isset($_POST['user']) && isset($_POST['pass']) && strtolower($_POST['user']) == "guest" && $_POST['pass'] == "root") {
    $_SESSION["logged"] = true;
    header('Location: file.php');
} else {
?>
<h2>LOG IN!</h2>
<form action="file.php" method="post">
    Username:<br />
    <input type="text" name="user" /><br />
    Password:<br />
    <input type="password" name="pass" /><br />
    <input type="submit" value="Log in..." />
</form>
<?php } ?>

Can someone "fake" the session?

Maybe there is any good guide about session based login systems?
I tried reading php.net manual, but didn't get everything about session id's and times.

I think sessions can't be faked no.

I believe the best way to use a session is to store the userid in it.
So instead of $_SESSION['logged']=true; Put his id or in it. So you can call info of the logged user later from your database. For the rest, session are quite easy I guess, just give them a value, if correct login, destroy them by logging out (or by closing browser or timeout) en use the session as an id value of the logged user.

How do you think a session differs from a cookie?

If you cannot answer this question, I will do. Cookie contains the information which is sent to your script every time a user requests a page. You can store user login and hash of user password in a cookie and check whether this user is valid every time he requests a page. Session stores this information on your server, but to identify a user the cookie is still used, but in this case it contains only the session id.

So if you receive a request to authorize the user with login and password provided and make $_SESSION['logged'] = true the session can be faked if another user sends you the same session id. Quite the same way as a cookie can be faked if another user sends you a cookie with user login and password hash.

So? Obviously sessions are neither less secure nor more secure than cookies. They only differ in place where the data is stored - either on client or on the server. If you need more security you should bind user's cookie to something else like IP address.

But sessions are a bit safer because they run out and get destoryed on browser close.

I insist that you carefully RTFM about sessions until you understand it clearly.
Session IS NOT destroyed on browser close. It is a COOKIE that CAN BE set to be removed on browser close. Session will be removed either according to garbage collection settings or by forcing session_destroy(), in other case it will remain being usable.

And I will add, that somebody forging a cookie (or if it's enabled, passing an PHPSESSID= parameter) with a valid id can hijack the session.

I'd say that sessions are a more flexible than cookies, but not that much safer.
You still have to be careful what you save in it, and do more check depending the security level you need.

For instance, you could store the browser ip in a db and the session, and check it on each page load.
If you see that the ip changed between 2 calls, you invalidate the session, and ask the user to log back in.