Well, I have now implemented session handling but I am not quite sure how to work with that.
My concern is the following:
Let's say a user is logged in and wants to get a list of items from a specific store. So the client will send me an id for a store. That id will be linked to an actual id for a store entity that I use in my MySQL database. An intruder could just exchange that id and therefore receive back the "wrong" data from my server.
Here is my question: Is it enough to send the session ID over HTTPS inside the payload in order to be safe here? Is there anything else I have to consider if I don't want hostile users to be able to lure information from the server that they are not supposed to see? I am rather new to web development but I am writing on something that is supposed to become something like a commercial software in .. well someday :D but however, even if it was for the sake of learning something new, how is this done safely?
You've presumably got in your database an association between users and stores. So when you get a request for store items, you check the passed store ID to see whether the current session's user is associated with the store. If the user is not authorised to view the store, you reject the request.
Authentication is only half the story. You need to do this kind of authorisation checking for every action a user can take in your application.