User ID, session data and security

[eluser]Silviu[/eluser]
To be honest, I'm not sure ATM about the other applications regarding trust level. I've added this to my checklist :-)

And, to be more precise, my concern is not cookie highjacking per se, my concern is that a user that received a legit cookie, can modify that cookie and change the id/token stored in it to identify itself as another user.
Having everything compared to the stored user's id, I view this aspect as an Achilles' heel, so I'm collecting data on this matter to see if CI sessions are secure enough for this purpose.


So far, I have identified several details that I should have in my setup regarding this matter:
- Alpha-numerical user ID/token (a alpha-numerical GUID)
- Encrypt the session data with a strong encryption key
- Store the session data in the database
- Have the stored user ID/token processed through a hash function before storing it

Do I have to take anything more into account? Or am I being too paranoid? :-)


Another thing... having the session data stored in the database means that only the session ID is stored on the user computer?
If true, then:
- This means I don't have to worry about exposing the user ID, since it does not leave the server (hence I don't have to hash it or use a alpha-numerical values as mentioned above).
- If the user can change the session id, then, according to the above setup, can he get access in the system as another user (asuming that he is lucky enough to get a valid session ID)? From what I understood until now it cannot, but I'm asking again to be sure.
- How secure is the session ID stored in the user's computer?
--- How long is it? The database field is a varchar(40).
--- I suppose it is encrypted if the encryption is enabled.
--- Can the session id rotation time be decreased? Is it worth it?

Thanks.