User ID, session data and security

[eluser]Silviu[/eluser]
Hello,

I'm planing to build an application that (among other things) handles private data.
Every bit of private data has an "owner" field, to prevent users attempting to get/change other user's data. This is actually the user ID.

So, my plan is:
- User logs in.
- The ID is stored in a session variable.
- Every piece of data that is manipulated is checked against the stored ID, and only if it matches, the operation is permitted.

Using plain PHP, the user ID would have been stored in a $_SESSION variable. And this particular data would have been stored on the server only - and, AFAIK, it is not modifiable by the user in any way.

The CodeIgniter session class stores the "session" data in a cookie. And the cookie is stored in the user's computer - the information retrieved from the user should always treated as tainted.

My questions:

1: Since using CI sessions, the data is actually stored in the user's computer, how safe is to use the method outlined above? I mean, what are the chances of someone successfully decrypting/bypassing the encryption and change the cookie to access other user's data (this assumes that this person knows how the system works - but not the encryption key)

2: Ar there other methods to accomplish this? Something like storing for each session_id a corresponding user_id in the database, user_id that would be retrieved and used. But this will leave the door open to changing your session_id, so this is kinda back to square one, but without being able to change a specific user, since the malevolent user can't be sure about the user id he will get.

3: Another option - store not the user ID, but a custom hash (like sha1(md5(4userid)) and check against that? Or make the user_id not a simple number, but a hash in itself? sha1(md5(uniqid(true)))?

Well, any suggestions?
The privacy of the data is very important for me, and it's worth the time to implement a secure way to access it.

Thanks.