can Session be used to store secure info?

Question

I have a php program, which has the login page and logout page. When user successfully logged in to the page it will be redirected to index.php

when index.php is loaded, it will fetch the data from the database (mySQL. ie. Select * from users) and populated some of the user data and display them in nice table format

Name         Phone             DOB          ...             Option
John Doe     xxx-xxx-xxxx      mm-dd-yy     ...             [Edit] [Details]...

etc

Not all fields from the query results will be displayed in the above table, only some of them will.

Under the Option column, there is an option called "Details", when clicked, user will be able to see some secure info.

I can think of two ways of doing it:

1. when index.php is loaded, instead of calling Select * from users (which * will contains some security info) I'll just call "Select id fullname, phone, dob from users". (don't select something unless it's necessary). Then when "Details" is clicked, I'll pass the id and retrieve the secure info from db by using that id. (IMO this is the most secure way but I'll have to make extra query call)

2. when index.php is loaded, I'll just do a Select * from users. Save the query results (arrays) into Session, then when "Details" is clicked, I'll just retrieve the array from the Session. This way I don't have to make extra query call, however I'm not sure if Session is secure or not.

Which way is better, in terms of security? (if none of them are, please advise how should I do this)

Answer 1

Storing data in the session is safe. Storing data in cookies is not safe.

Sessions are stored on the server, cookies are stored by the client (hence they are unsafe).

As far as performance goes .. it depends. There is no single answer, do what works for you but by all means keep it simple.