diff --git a/src/main/java/org/vertx/mods/AuthManager.java b/src/main/java/org/vertx/mods/AuthManager.java
index b0af2e4..99cd6e6 100644
--- a/src/main/java/org/vertx/mods/AuthManager.java
+++ b/src/main/java/org/vertx/mods/AuthManager.java
@@ -37,7 +37,7 @@ public class AuthManager extends BusModBase {
   private Handler<Message<JsonObject>> logoutHandler;
   private Handler<Message<JsonObject>> authoriseHandler;
 
-  protected final Map<String, String> sessions = new HashMap<>();
+  protected final Map<String, JsonObject> sessions = new HashMap<>();
   protected final Map<String, LoginInfo> logins = new HashMap<>();
 
   private static final long DEFAULT_SESSION_TIMEOUT = 30 * 60 * 1000;
@@ -113,11 +113,11 @@ private void doLogin(final Message<JsonObject> message) {
     findMsg.putObject("matcher", matcher);
 
     eb.send(persistorAddress, findMsg, new Handler<Message<JsonObject>>() {
-      public void handle(Message<JsonObject> reply) {
 
+      public void handle(Message<JsonObject> reply) {
         if (reply.body().getString("status").equals("ok")) {
-          if (reply.body().getObject("result") != null) {
 
+          if (reply.body().getObject("result") != null) {
             // Check if already logged in, if so logout of the old session
             LoginInfo info = logins.get(username);
             if (info != null) {
@@ -132,10 +132,13 @@ public void handle(Long timerID) {
                 logins.remove(username);
               }
             });
-            sessions.put(sessionID, username);
+
+            JsonObject sessionData = formSessionData(reply, sessionID);
+
+            sessions.put(sessionID, sessionData);
             logins.put(username, new LoginInfo(timerID, sessionID));
-            JsonObject jsonReply = new JsonObject().putString("sessionID", sessionID);
-            sendOK(message, jsonReply);
+            
+            sendOK(message, sessionData);
           } else {
             // Not found
             sendStatus("denied", message);
@@ -148,6 +151,17 @@ public void handle(Long timerID) {
     });
   }
 
+  private JsonObject formSessionData(Message<JsonObject> dbReply, final String sessionID) {
+      //Put record returned from the db as session data 
+      JsonObject sessionData = dbReply.body().getObject("result");
+
+      //remove id and password so that we dont send it back over the wire
+      sessionData.removeField("_id");
+      sessionData.removeField("password");
+      sessionData.putString("sessionID", sessionID);
+      return sessionData;
+  }
+
   protected void doLogout(final Message<JsonObject> message) {
     final String sessionID = getMandatoryString("sessionID", message);
     if (sessionID != null) {
@@ -160,7 +174,11 @@ protected void doLogout(final Message<JsonObject> message) {
   }
 
   protected boolean logout(String sessionID) {
-    String username = sessions.remove(sessionID);
+    JsonObject session = sessions.remove(sessionID);
+    if (session == null)
+        return false;
+
+    String username = session.getString("username");
     if (username != null) {
       LoginInfo info = logins.remove(username);
       vertx.cancelTimer(info.timerID);
@@ -175,14 +193,10 @@ protected void doAuthorise(Message<JsonObject> message) {
     if (sessionID == null) {
       return;
     }
-    String username = sessions.get(sessionID);
-
-    // In this basic auth manager we don't do any resource specific authorisation
-    // The user is always authorised if they are logged in
+    JsonObject authData = sessions.get(sessionID);
 
-    if (username != null) {
-      JsonObject reply = new JsonObject().putString("username", username);
-      sendOK(message, reply);
+    if (authData != null) {
+      sendOK(message, authData);
     } else {
       sendStatus("denied", message);
     }