Lets say that a user has been issued a security ticket cookie and it has the authenticated user's id written into it. If a third party were to capture the security cookie, then I believe that they could gain access to any secured pages and be able to access the user's information. If however the user's id was in session, say, then even the the third party could gain access to a site's secured areas but they'd be missing a crucial piece of information that would enable them to do anything!
So surely the second scenario is more secure? It does however seem to be fairly standard practice to write user ids into the ticket!
View Complete Post