Session Security Issue

Hi,

I am writing a php based website for a database containing businessinformation. Users can sign in with a username and password. Each user has an amount of priveliges: "Read, Write, Delete" Those 3 are booleans.

When the user visits a webpage there should appear information according to his privileges. And there should appear buttons (f.e.Delete button ) according to the user his privileges.

So on every webpage there need to be a fast check of these privileges

One thing is sure: I am going to program this using Sessions.

I am a bit in a dilemma though. Because I see 2 options here. I would like you to help me make a decision.

First possibility:
After the first successfull login: store the username and (a md5 hash of) the password in session variables. After that, check the privileges (in the database) again on every visit of a page. Very safe imho.

Second possibility:
After the first successfull login: store all privileges and the username in Session variables. When the user visits the next page it will not be necessary to search in the database again.

The reason why I am not sure is because I am not sure how safe Sessions are. From experience I would choose the first possibility. Although I believe Sessions are really 99% server side so there's not much that can go wrong, right?

If I am not mistaken, session ID's are stored in the client header though. Is this dangerous?

Thanks in advance.

I did something on this line for my old job. I had to limit the amount of information a person saw and could use. I didnt need serious protection so I just got creative.

The passwords each had 3 values hidden in it, such as "12A34B56C". It just looked random but those 3 letters meant something. When they first logged in I stripped thos characters and then those meant thier levels. AAA ment they could do anything, ABA ment they could not delete information but could do everything else.

Then in the code, I had those 3 characters passed through the pages, something like mainpage.php?action=new&val1=profile&psl=ABC, etc

PSL = Persons security level. then every page checked these. I am sure its not what you need but incase anyone else wonders, this is how I did it.