I want to use a database for session storage and have designed a simple table containing three columns: SessionID, Key, and Value, with SessionID and Key serving as the primary keys.
My question is: Should I encrypt the user's SessionID before storing it in the table? In my opinion, I should, because it prevents someone with database access from viewing active session IDs.
You could encrypt the session, but it's not standard practice. Typically, the database is well protected, with only the web/application server being able to access it.
Also, since sessions should expire (and time out), the damage is mitigated to a small window of time even if it were accessed.
If you do decide to encrypt the session ID, it should be fairly easy, especially if you have an object oriented approach. You can simply encrypt the session near the persistence layer.
A more common problem is having the session ID sniffed off the wire. Ensure you're forcing HTTPS between the client/browser and application/web server to prevent that.
Also, you can request the password again on any serious operations to further mitigate session hijacking issues.