Additional layer of security when login in (Session variables)
I been thinking on the session variables created on log on page. The default session variable created is the the userID, but that's just a number. could I create an additional session variable such as username to both validate both the userID and username together. i.e. the userID and username must be in the same record for the user to view the page.
My think, if the session variable is stored in a cookie and user PC is compromised (they didn't logout), they may be able to work out the session variables and then they can start sifting the shop database.
Or I'm over thinking a problem that doesn't exist.