Hi All,
Is it a bad idea to store a users md5 password in a session? Can we get by without it being in there?
Sorry...i'm fairly new to writing a login script.
Brad.
Should you store password in session?
Moderator: General Moderators
its not that bad. it really depends how safe you need to be. if its md5'ed its pretty safe though. you weak points are likely in other places.
but it would probably be better to just use something like
but it would probably be better to just use something like
Code: Select all
if (submitted username and password are correct) {
$_SESSION['logged_in'] = true;
}
// then just check on subsequent pages
if (empty($_SESSION['logged_in'])) {
echo 'not logged in';
} else {
// ok
}- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
As above - password in session is risky. It's low risk, but it's there all the same.
I'd be far more worried about having a user's session hijacked. This is entirely possible using XSS (cross site scripting). You can look it up in more detail by googling, but it boils down to ensuring users cannot employ javascript, etc. in any text they submit - for example setting something simple like a MSN contact detail to point to a js file using script tags which steals some user cookie details - like sessid...
Something to think about...
I'd be far more worried about having a user's session hijacked. This is entirely possible using XSS (cross site scripting). You can look it up in more detail by googling, but it boils down to ensuring users cannot employ javascript, etc. in any text they submit - for example setting something simple like a MSN contact detail to point to a js file using script tags which steals some user cookie details - like sessid...
Something to think about...
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
hehe, nice idea lolMaugrim_The_Reaper wrote:As above - password in session is risky. It's low risk, but it's there all the same.
I'd be far more worried about having a user's session hijacked. This is entirely possible using XSS (cross site scripting). You can look it up in more detail by googling, but it boils down to ensuring users cannot employ javascript, etc. in any text they submit - for example setting something simple like a MSN contact detail to point to a js file using script tags which steals some user cookie details - like sessid...
Something to think about...
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland