Hello:
On page 430 (Chapter 13) in the sidebar titled MORE SECURITY RECOMMENDATIONS it recommends watching how "database references are used." More specifically it mentions that using a table's primary key in a cookie is a security risk.
This makes sense, butI'm wondering, is the same true when storing a table's primary key in a session variable?
My thinking is that it's okay in a session variable since the session is stored on the server, not in the client's web browser. I believe that in order to alter $_SESSION['userid'], e.g., you would need to have access to the same server - so that you could put in a dummy page that reassigns $_SESSION ['userid'] as one wants - and you would need to know the name of the session variable.
If there's a better way to access user data throughout a site other than storing the primary key from the users table in $_SESSION['userid'] (or whatever), I'd love to know what's recommended.
Thanks very much!
Best,
Adam