OT: Tracking user

Just a question for opinions -
In the past developing with php (not that it should matter) , when
preparing data for a user I generally set the query to filter not only
by user.id but also by user.username. To me it just seemed to add a
little more redundancy in the event some hacker figured out a way to
login with someone elses id.
Is this strategy something that makes sense in Rails as well ? Or in
any web application ?
Of course when they log in they must with their username and password.