I'm doing a practice project in PHP (making a forum), and trying do decide on a mechanism to keep a user logged in. I've created a user class, through which a user is authenticated (on sign in) and all future user account related operations will be through that class (i.e user related info retrieval, when a user makes a post/comment, etc).
To keep a user logged in, the easiest path seemed to be to use sessions and store the user object in a session (not cookies since that would be a security risk), but after doing some research I found out that sessions can put a huge load on a system, specially if large amounts of data is saved in them.
After trying to figure out a solution for this I came up with two alternatives:
Put only the user ID in the session, and through the user ID remake the user object each time. However again this would seem to be a bad implementation since the database will have to be re-queried each time.
Save the user ID in the session (once the user has successfully logged in ofcourse), and save the whole object in a cookie, and each time before using the cookie, authenticate the cookie by matching the user ID in session with the user ID in cookie. I'm not quite sure how cookies work, but since some critical user info may be stored in the user object (hence the cookie), is there some kind of security risk here? Can cookies be stolen?
Is there another alternative which is better? Whether it be a different way to use sessions or cookies, or to use some method completely different from session and cookies?
