The Session object allows to set and get session data of a user. I want to also use it to keep some state that however should not be available to the user. I keep information like users roles etc and don't want to share this or even worse let the user modify the content. I can for sure code this. However there a unique session identifier would be nice.
If you use the version of Meteor in the auth branch, meteor will expose a this.userId() on the server that you can use to 'track' a user. A user account is also created in the Meteor.users collection that can be used on both the client and the server. Within each users document, if you put data within the 'private' property Meteor will make sure NOT to ship that to the client - so you can store any information there you don't want the user/client to see. As for protecting writes, the auth branch also has ways you can validate writes before allowing them (on the server) using Collection.allow(). See the docs https://github.com/meteor/meteor/wiki/Getting-Started-with-Auth