Working on very big project and trying to create optimal database usage. I heard that it’s not recomended to save user id’s in $_SESSION variables. I can actually work with only tokens, this tokens are assigned to user id’s in database. The problem is, if I will work with only tokens, I need to do 1 extra operation (query) with database inside script. So the question is, may I save user id inside $_SESSION variables to prevent ectra database operations? How “dangerous” it might be?
Thx in advance.
The only impact I can see, is that somebody who has access to the file system (where php stores session data), can see which users are currently logged in. Normally this should not be a big secret – there are more interesting things on the file system. If you use tokens, the user who has access to the file system would need to have access to the DB as well to get the same information, but usually this would be easy to achieve with access to the file system.
Maybe the person who told you this meant that you should not store passwords in the Session? That of course would be dangerous.
Or he meant that you should not save user ids in cookies?