I'm developing an e-commerce site with PHP and MySQL and am needing some advice at to whether i've got my head around security. I was wondeing if I've done enough and if there was anything i've missed.

Session Security...

Here's my biggest worry and what i've done to try to combat it.

on every new page a new session id is generated through

session_regenerate_id();

the old session is destroyed and all data is copied to the new session.

When a user logs in they are SSL secured and are SSL secured until they logout (or leave the site).

In my mind this will stop session hyjacking as if the hacker manages to get the session ID before the user logs on it will be useless as it will change on the next click (being the log in click). When the user logs in the hacker will then need to contend with 128bit crypt on all Headers to get the session ID. Is this enough?

I'm still a little worried as to the security and am wondering if there is anything more I can do to secure up the site.

Passwords are stored in a MD5 hash with 2 character salt.

The userid is stored in the session when they login to use in any SQL scripts.

I've read that storing the session ID, UserId in a table and referencing it that way is good thing to do? If I change the session ID each time then i'd be forever reaching to my database.

Thanks if anyone can offer advice...