[eluser]Zack Kitzmiller[/eluser]
[quote author="TheFuzzy0ne" date="1248112133"]No. Ideally, should should store the admin level/status in an encrypted cookie, and use that. That way you're virtually guaranteed that a user cannot access the admin section unless you've specifically set their admin level to do so. Obviously, the admin level will be set when they login, and ideally, it should be refreshed from the database for each subsequent request, to account for when you remove admin privileges; otherwise you'll find that even when you demote an administrator, they will still keep their credentials until they log out (if they ever do).[/quote]
I completely disagree with this. Leaving this information in an cookie, even with encryption, is not completely safe and could be broken.
I always use encrypted tokens (user_id|user_level|timestamp), and save them in PHP sessions. This is far more secure than storing any information on the client side.