To answer you first question nothing provides full security. Try as you may, people that know what they are doing can always invent new cracks. What are some holes with sessions? Sessions are however the best (in my opinion) thing for security. Sessions coupled with SSL , make a nice secure site that I would probably trust my credit card too. I cant think of at the moment an real holes that you could make for yourself. (Although I am kinda tired 🙂 ).
To answer you second question, passwords can be stored in a database safely. What would I do to make sure that they are safe? I would use the md5 hash function (which is 1 way encryption) and then when someone wants to log in compare to hashed passwords together instead of 2 "open" passwords. This is how Unix security ( and to some degree) Windows NT security works. A file wouldnt be better (again in my opinion) because of the file permissions that you have to setup. With a database your data is stored behind a password and user. You cant just access the data no matter what it is, in a database without the password.
Hope this Helps some!
