Yes. But when I access user or check if he is logged with Auth:user A query is performed
The ID is stored in session - for any further details a query is executed. I don't see any major concerns with sticking it all in a session, there might be a slight risk of another account being able to view your session files if you're on a shared host where all virtual hosts share the same session path and both accounts run under the same user: http://websec.io/2012/08/24/Shared-Hosting-PHP-Session-Securit...
I wouldn't recommend putting the user detail in the session unless you're also willing to extend the User model (or repository if you're using one) to apply any updates persisted to the database to the session too, otherwise your application may find itself using information from the session that is out-of-date.
But even this wouldn't completely protect you, since in this multi-device world, users may interact with your application from different sources,each with their own session.
Personally, I'd just accept that one pretty lightweight DB call to guarantee that you're using the up-to-date information is a perfectly acceptable price to pay.
Sign in to participate in this thread!
We'd like to thank these amazing companies for supporting us