[eluser]xwero[/eluser]
Maybe logging is the wrong word, identifying is better i guess. If you look at the updateUserInfo method he uses the session variables. In addition there is the question about security of the session variables. This are the two things i based my replies on. If i misread it that's my fault
In your method i don't see how the user is identified. In my eyes it reads someone is logged in so he can do more. Or do i misread that too?
I agree with you no password in the session but if you haven't unique ids there are other ways to identify someone without the users password as a session variable. I suggested a few solutions for that.