I am working on a web application. What should I do after a userid and the password are verified according to the user database information? Should I store the userid in a session object? This way, when a user orders something from my site, I can get the userid from the session object, and correctly bill him (instead of somebody else) in the database, right? Otherwise, login or not, it does not make any difference. Right?