Using Session Identifier as security measure

[aps]

Could anyone comment on whether the following technique is safe/reasonable for security?
I require users to login. At the login, they enter their username and pass. A query is run against a MySQL users table. If there is a match to that username and pass, I set a SESSION variable to a particular word. Then on the rest of my code, that is, on the code for the rest of my pages, I check to see whether that SESSION variable is set and equal to that predetermined word. If it is, code executes. If it isn't, code doesn't execute, and sends user back to login page.
It seems to work just fine, but was wondering whether this is really a safe way to do it.
Thanks in advance.
-APS

[swirlee]

It's a pretty typical way to do it. However, rather than using a particular word (which could leave you vulnerable to a dictionary attack), an MD5 has of the password (or the password plus some other data) is usually used.

[aps]

Thanks. I like that idea. I looked up the MD5 function...very cool...wasn't even aware that it existed.

The reason I had considered using a standard set word, rather than the user's specific password, was that I didn't want to have to query the users database every time for every page to confirm them.

Am I correct in assuming that the password approach you are speaking of would then run a quick query at the beginning of each page within the app to test whether a record exisits for that user and password? Or is there another approach?

Am I silly to think that the extra processing (in MySQL) would slow the application down?

Thanks for helping me to think this through.
-APS