[eluser]ufasoli[/eluser]
[quote author="xwero" date="1196787168"]Normally the userid would be unique so you can only store that in the session id. If someone hijacks the session cookie he has some id of which the hacker doesn't know if it's going to change randomly. You could even create a userid to put in sessions or cookies so the real id is only reachable internally.
Storing a password in the session is a bad idea i think. Some technical aware users flinch when they see the password is send in plain text but hashing on the clients machine is open to other attacks i read recently. If they know their password is stored in a session cookie + session db if coded they will go crazy
You should only do adding, updating and password checks. Maybe for some updating is already a bridge too far.
I think if you want the 'most' secure option not making it to difficult for yourself you should consider a changable unique session/cookie userid.[/quote]
So you think storing the session in the database is a bad idea too? What do you actually mean when you say "consider a changable unique session/cookie userid"? That each time a user logs in I should create a 'fake' id and store it in a session variable?
