The PHP Scalability Myth
Subject:   Hidden variables for session state?
Date:   2003-10-17 20:23:47
From:   tarrant
Response to: Hidden variables for session state?

If you're putting the session in the db, you just need to send a cookie containing the id to the browser. This id wouldn't need to be encrypted all the time; you could simply give the browser a large random session id at the beginning, and you would therefore protect your sessions from spoofing.

Actually, I've usually had a userid and sessionid in separate cookies, with the sessionid being a random number. If someone tries to use their sessionid but someone else's userid, then there's a system alert and the session token isn't vaild.