Actually, my primary professions deals with eCommerce applications. Remember some of the first points of the post. It's plain bad practice to really store a lot of stuff in a session. For this example I was just storing a user id. You'd retain all the user information server-side and never store such things in a cookie, regardless of encryption.
The idea of using just the user id is simply to verify something like a logged in user. You'd only actually pull the data for that user when it's actually needed. As for credit card stuff, it's generally not good practice to ever store credit card information in full without some sort of higher security anyhow. There's actually a rather specific set of information for PCI compliance that your application must follow when using credit cards. Now, even if you do happen to store such things, you generally don't show it to the user anyhow (especially over a non-SSL connection).
MD5 has been cracked already actually. It's a small enough hash that you can break it with today's hardware due to databases being able to easily hold every possible value and reference it rather easily with a rather simplistic dictionary attack. Your encryption is only as strong as the method you're using. For instance, SHA1 will likely be broken before SHA256 is, which will be broken before SHA512, which will be broken before other even higher encryption methods. Unix shadow files are an extremely small and rather easy to break hash much like MD5 (hell it's smaller isn't it?), so they weren't a strong hash to begin with.
Honestly, this method here is no less secure than just brute forcing something like a PHP session id. If anything, when using a higher encryption method it'd be more secure, because even if they have the user id (so long as your application itself isn't broken) there's nothing they can do with it unless they manage to obtain your secret key for your application. Only at that point is your security really compromised.
As one of my instructors once put it, if you really want your data secure, take your system offline, lock it in a safe, and drop it to the deepest part of the ocean.
The idea of using just the user id is simply to verify something like a logged in user. You'd only actually pull the data for that user when it's actually needed. As for credit card stuff, it's generally not good practice to ever store credit card information in full without some sort of higher security anyhow. There's actually a rather specific set of information for PCI compliance that your application must follow when using credit cards. Now, even if you do happen to store such things, you generally don't show it to the user anyhow (especially over a non-SSL connection).
MD5 has been cracked already actually. It's a small enough hash that you can break it with today's hardware due to databases being able to easily hold every possible value and reference it rather easily with a rather simplistic dictionary attack. Your encryption is only as strong as the method you're using. For instance, SHA1 will likely be broken before SHA256 is, which will be broken before SHA512, which will be broken before other even higher encryption methods. Unix shadow files are an extremely small and rather easy to break hash much like MD5 (hell it's smaller isn't it?), so they weren't a strong hash to begin with.
Honestly, this method here is no less secure than just brute forcing something like a PHP session id. If anything, when using a higher encryption method it'd be more secure, because even if they have the user id (so long as your application itself isn't broken) there's nothing they can do with it unless they manage to obtain your secret key for your application. Only at that point is your security really compromised.
As one of my instructors once put it, if you really want your data secure, take your system offline, lock it in a safe, and drop it to the deepest part of the ocean.