I guess it’s a bad idea to store token in user’s cookies + in my database and then compare those two? I have my own session id for that now. What bad can happen if someone will steal user’s token? I’m thinking about turning them into md5 hash in database.