Hi,

I am writing a php based website for a database containing businessinformation. Users can sign in with a username and password. Each user has an amount of priveliges: "Read, Write, Delete" Those 3 are booleans.

When the user visits a webpage there should appear information according to his privileges. And there should appear buttons (f.e.Delete button ) according to the user his privileges.

So on every webpage there need to be a fast check of these privileges

One thing is sure: I am going to program this using Sessions.

I am a bit in a dilemma though. Because I see 2 options here. I would like you to help me make a decision.

First possibility:
After the first successfull login: store the username and (a md5 hash of) the password in session variables. After that, check the privileges (in the database) again on every visit of a page. Very safe imho.

Second possibility:
After the first successfull login: store all privileges and the username in Session variables. When the user visits the next page it will not be necessary to search in the database again.

The reason why I am not sure is because I am not sure how safe Sessions are. From experience I would choose the first possibility. Although I believe Sessions are really 99% server side so there's not much that can go wrong, right?

If I am not mistaken, session ID's are stored in the client header though. Is this dangerous?

Thanks in advance.