On: first field = that user email or phone, password = master secret. Session is that user (their role), not yours.