diff --git a/controllers/forms/editpost.js b/controllers/forms/editpost.js
index ff286ca6..60bcd398 100644
--- a/controllers/forms/editpost.js
+++ b/controllers/forms/editpost.js
@@ -48,7 +48,7 @@ module.exports = async (req, res, next) => {
 	}
 
 	if (res.locals.permLevel > 1) { //if not global staff or above
-		const ratelimitUser = await Ratelimits.incrmentQuota(req.session.user.username, 'edit', rateLimitCost.editPost);
+		const ratelimitUser = await Ratelimits.incrmentQuota(req.session.user, 'edit', rateLimitCost.editPost);
 		const ratelimitIp = await Ratelimits.incrmentQuota(res.locals.ip.single, 'edit', rateLimitCost.editPost);
 		if (ratelimitUser > 100 || ratelimitIp > 100) {
 			return dynamicResponse(req, res, 429, 'message', {
diff --git a/helpers/sessionrefresh.js b/helpers/sessionrefresh.js
index 95bca7b4..042220c7 100644
--- a/helpers/sessionrefresh.js
+++ b/helpers/sessionrefresh.js
@@ -5,7 +5,7 @@ const { Accounts } = require(__dirname+'/../db/');
 module.exports = async (req, res, next) => {
 	if (req.session && req.session.user) {
 		// keeping session updated incase user updated on global manage
-		const account = await Accounts.findOne(req.session.user.username);
+		const account = await Accounts.findOne(req.session.user);
 		if (!account) {
 			req.session.destroy();
 		} else {
diff --git a/models/forms/actionhandler.js b/models/forms/actionhandler.js
index 4bf5e6dd..02bef52a 100644
--- a/models/forms/actionhandler.js
+++ b/models/forms/actionhandler.js
@@ -277,7 +277,7 @@ module.exports = async (req, res, next) => {
 		const message = req.body.log_message || null;
 		let logUser;
 		if (res.locals.permLevel < 4) { //if staff
-			logUser = req.session.user.username;
+			logUser = req.session.user;
 		} else {
 			logUser = 'Unregistered User';
 		}
diff --git a/models/forms/addban.js b/models/forms/addban.js
index 66f80971..80ba290b 100644
--- a/models/forms/addban.js
+++ b/models/forms/addban.js
@@ -12,7 +12,7 @@ module.exports = async (req, res, redirect) => {
 	const actionDate = new Date();
 
 	const banPromise = Bans.insertOne({
-		//note: raw ip and type single because of 
+		//note: raw ip and type single because of
         'type': 'single',
         'ip': {
             'single': isIP(req.body.ip) ? hashIp(req.body.ip) : req.body.ip,
@@ -21,7 +21,7 @@ module.exports = async (req, res, redirect) => {
         'reason': req.body.ban_reason || req.body.log_message || 'No reason specified',
         'board': req.params.board || null,
         'posts': null,
-        'issuer': req.session.user.username,
+        'issuer': req.session.user,
         'date': actionDate,
         'expireAt': new Date(actionDate.getTime() + (req.body.ban_duration || defaultBanDuration)),
         'allowAppeal': req.body.no_appeal ? false : true,
@@ -36,7 +36,7 @@ module.exports = async (req, res, redirect) => {
 		'date': actionDate,
 		'showUser': !req.body.hide_name || res.locals.permLevel >= 4 ? true : false,
 		'message': req.body.log_message || null,
-		'user': res.locals.permLevel < 4 ? req.session.user.username : 'Unregistered User',
+		'user': res.locals.permLevel < 4 ? req.session.user : 'Unregistered User',
 		'ip': {
 			'single': res.locals.ip.single,
 			'raw': res.locals.ip.raw
diff --git a/models/forms/banposter.js b/models/forms/banposter.js
index 1d19a2d3..0cd0d38c 100644
--- a/models/forms/banposter.js
+++ b/models/forms/banposter.js
@@ -41,7 +41,7 @@ module.exports = async (req, res, next) => {
 				'reason': banReason,
 				'board': banBoard,
 				'posts': req.body.preserve_post ? thisIpPosts : null,
-				'issuer': req.session.user.username,
+				'issuer': req.session.user,
 				'date': banDate,
 				'expireAt': banExpiry,
 				allowAppeal,
@@ -78,7 +78,7 @@ module.exports = async (req, res, next) => {
 					'reason': banReason,
 					'board': banBoard,
 					'posts': null,
-					'issuer': req.session.user.username,
+					'issuer': req.session.user,
 					'date': banDate,
 					'expireAt': banExpiry,
 					allowAppeal,
diff --git a/models/forms/create.js b/models/forms/create.js
index 641c2410..7340560e 100644
--- a/models/forms/create.js
+++ b/models/forms/create.js
@@ -12,7 +12,7 @@ module.exports = async (req, res, next) => {
 	const { name, description } = req.body
 		, uri = req.body.uri.toLowerCase()
 		, tags = req.body.tags.split('\n').filter(n => n)
-		, owner = req.session.user.username;
+		, owner = req.session.user;
 
 	if (restrictedURIs.has(uri)) {
 		return dynamicResponse(req, res, 400, 'message', {
diff --git a/models/forms/editpost.js b/models/forms/editpost.js
index fbe743c8..8716d278 100644
--- a/models/forms/editpost.js
+++ b/models/forms/editpost.js
@@ -122,7 +122,7 @@ todo: handle some more situations
 	}, {
 		'$set': {
 			edited: {
-				username: req.body.hide_name ? 'Hidden User' : req.session.user.username,
+				username: req.body.hide_name ? 'Hidden User' : req.session.user,
 				date: new Date(),
 			},
 			message,
@@ -144,7 +144,7 @@ todo: handle some more situations
 		date: new Date(),
 		showUser: req.body.hide_name ? false : true,
 		message: req.body.log_message || null,
-		user: req.session.user.username,
+		user: req.session.user,
 		ip: {
 			single: res.locals.ip.single,
 			raw: res.locals.ip.raw,
diff --git a/models/forms/login.js b/models/forms/login.js
index 886f7921..e13fd958 100644
--- a/models/forms/login.js
+++ b/models/forms/login.js
@@ -30,7 +30,7 @@ module.exports = async (req, res, next) => {
 	if (passwordMatch === true) {
 
 		// add the account to the session and authenticate if password was correct
-		req.session.user = { 'username': account._id }
+		req.session.user = account._id;
 
 		//successful login
 		return res.redirect(goto);