How do I get database values for currently logged in users?

[DeX]

I'd like to display a user profile for the currently logged in user so they can edit their contact details. I already have a secure login scripted which works well and it stores the user_id, username and a login_string into session variables. The login_string is a long alphanumeric string of hashed values used when checking the logged in status of the user but it's not stored in the database.

 

My concern is if I pass the user_id from the session variable to the model to get the user contact information, the user can easily change that variable in order to display someone else's information. So should I continuously hash the same variables to compare the login_function or should I just store it in the database once the user logs in so that's it's readily available to do a comparison on any time I need database information.

 

Does that make sense?

[requinix]

As long as you don't expose to the user the ID you're using to find profile information, which you shouldn't do anyways because you're displaying the currently-logged in user regardless, then it's fine.

[DeX]

How do I keep track of the currently logged in user if I don't store the ID in a session variable? If it's in a session variable then the user is free to change it as they wish.

[mac_gyver]

how could a user set a session variable? that's completely under the control of your code.

[DeX]

Session hijacking and poisoning? Is that something I should worry about?

[MDCode]

The only thing a user can do is change their session id cookie to acquire another user's session. The actual session data is private and stored on the server.