javascript - Store "password is ok" in php Session variable? - Stack Overflow

admin管理员组

文章数量:1288055

Is it safe to store a password in a sessions variable?

For example, usage would be in a form which is submitted to itself.

For example a change classifieds page, where users first enter a password, and then if pass=ok, show the form to change the classified. All on same php-page.

But Whenever a picture is uploaded in the "change" part of the php page, the form must submit to itself again.

Should I here use the stores Session password to verify that the user is actually the user, and that it is secure?

In other words, is it safe to store something like this:

 if($pass==$row['password']){ // If password was correct
    $_SESSION['pass_ok']='1';
 }

Thanks

Is it safe to store a password in a sessions variable?

For example, usage would be in a form which is submitted to itself.

For example a change classifieds page, where users first enter a password, and then if pass=ok, show the form to change the classified. All on same php-page.

But Whenever a picture is uploaded in the "change" part of the php page, the form must submit to itself again.

Should I here use the stores Session password to verify that the user is actually the user, and that it is secure?

In other words, is it safe to store something like this:

 if($pass==$row['password']){ // If password was correct
    $_SESSION['pass_ok']='1';
 }

Thanks

• php
• javascript
• mysql
• html
• security

Share Improve this question Follow asked Oct 17, 2010 at 9:33 user188962user188962 1

• 1 Sidenote: I'd remend using === and !== instead of == and != wherever possible. Careless use of == can easily lead to security problems because the php rules for parison between different types are a bit strange. – CodesInChaos Commented Oct 17, 2010 at 11:23

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 9

Camran, what you are trying to do is a standard way to maintain php sessions. You are actually not storing the password in the session rather just storing the information that this particuar user has already logged in. $_SESSION['pass_ok']='1';

On every page you just have to do a session_start() and check of this session is already set to 1, if yes they assume him to be logged and proceeed, else redirect to login page.

If someone gets hold of the session id then they definitely can access the user session. You can do a few things to make it more secure.

• Use SSl (https), it will make hard to sniff the data and get your session id
• maintain the client ip in the session when user logs in, for every request after logging in, check if the requests are ing from same ip
• Set a short session timeout, so that if left idle for a while the session times out automatically.

Use a pre-built authentication system. That your best bet at being secure because they would have (or should have) thought of everything (security issue) already.

What i do is,

1. Check user logs in correctly
2. Assign a session to username + userLOGGEDIN session
3. When a page is clicked, my system searches the DB for username + userLOGGEDIN if its true then allows access to the page, but what it also does is, deletes the record its just searched for, and inserts a new record for the username + userLOGGEDIN with a different MD5 HASH. So hopefully it will be harder to crack.

I would advise against it. If someone logs in and copies the session ID down they can theoretically log in to any page. I would instead advise you check the password is okay on every page refresh as this will be more secure.

Additionally, always store passwords hashed in a database, or better yet, hashed with salts.

本文标签： javascriptStore quotpassword is okquot in php Session variableStack Overflow