Good - only store the user id in the session - which is a long randomized string - not an incrementing ID
Better - have a db table for current logged in users - the customer logs in - you verify the log in - you create a long randomized string JUST for the session,
that string is stored in Logged in users table along with the actual customer id, date time, - etc etc
then the randomized id you are storing in the session is only good for that specific session and will not work at all for the real company tables etc - and if they try to use it a day later they will get logged out, etc Bonus is that it gives you an easy record of which customers are logging in, for how long, etc
you could put other things in there like last page visited etc.