When using session, a random string is generated to identify a user – this string is called session ID. Session ID is stored in cookies. Cookies are sent to the web server with every request. On the server, session ID is then connected with session data.
Attacker can’t change the session data, therefore, storing a user ID in session is not a security threat.
For cases when an attacker steals someone’s session ID, for protection you can check if the user agent and IP address are the same as when session was created. If not, just destroy the session.
To identify a user, you need to connect session with a user. Doing so through a chain of tables in database doesn’t provide any security.
1
solved How to store session id as foreign key in phpmyadmin