Not all the servers serialize the session to the hard drive. For instance,
IBM websphere Commerce Suite intensively employ the back-end DB2 database and its session is relatively simple. It seems to me we cannot
prevent System Adminstors from doing something.
By the way, customer ID and password should be saved to DB.