Dear Monks,
I am creating a website that will require the user to use a login and password.

I've looked at websites that explain how to make a site secure and many of them recommend not putting the username of the user as a cookie.

I would never save the password in a cookie and I would never pass the username or password as a hidden variable (that's just dumb) .... my question is this:

The sites that suggest not putting the username or userid as a cookie -- how else am I supposed to figure out whether a user is logged in or not? Is there any other way?

Right now I have it so that when a person logs in (or if they create a new account) I place a cookie saying that 'this userid is logged in'. Every time they click on a link (ie. go to their account manager, post an event, etc.) I immeidately check the cookie to see who it is and if there is not userid cookie then I print the login page and tell them to login.

Anything insecure about this? If so, please let me know and tell me how to make a site 100% secure with regards to logging in and passwords (currently the passwords are stored in a DB and encrypted).

Also, people have recommended storing the sessionid in the DB along with the user id so I can figure out who the user is .... Correct me if I'm wrong but that means anytime they view another page they my programs will have to query the DB -- isn't that inefficient? Thanks!