I use the common method of $_SESSION to authenticate logged in members; but it is recommended not to use $_SESSION['ID'] with simple numeric ID as it can be faked. I was thinking of assigning a temporary access token (similar to facebook), then store it in mysql row of the user upon successful login. Then, when a user want to edit his profile
if ($_SESSION[access_token] = ACCESS TOKEN (captured from mysql)) {edit profile}
The disadvantage of this system is that upon every login, we need a mysql write query; but I think the security is significantly high. And of course, I need to INDEX access token column.
Is it a practical method? Do I need to improve something in this scenario?
