retrieving users info without storing the userID in a session var.

Hi :)

I've read here and there that storing the userID in a seesion after the login process was an evil thing.

First question: I would like to nuderstand why? I mean, passing some data identifying the user in the url doesn't seem to be a better solution to me. Is it because of cross site scripting and security issues like that?

Second question: what would be a good solution to retrieve users data the 'most secure way'?

thanks a lot for your time :)

for me, i find sessions to be the most secure way. Another less secure way is cookies. I use both. For those wanting to save their password so they don't have to login each time, i use cookies which then stores that value in the session. I simply compare the password and username. To make sure that someone will not keeping changing the password either encrypt it. Not sure if this is the answer your looking for but thats the only way i figured i could get it done securely...