I've read here and there that storing the userID in a seesion after the login process was an evil thing.
First question: I would like to nuderstand why? I mean, passing some data identifying the user in the url doesn't seem to be a better solution to me. Is it because of cross site scripting and security issues like that?
Second question: what would be a good solution to retrieve users data the 'most secure way'?
thanks a lot for your time