tags:

views:

115

answers:

3
+1  Q: 

Store "password is ok" in php Session variable?

Is it safe to store a password in a sessions variable?

For example, usage would be in a form which is submitted to itself.

For example a change classifieds page, where users first enter a password, and then if pass=ok, show the form to change the classified. All on same php-page.

But Whenever a picture is uploaded in the "change" part of the php page, the form must submit to itself again.

Should I here use the stores Session password to verify that the user is actually the user, and that it is secure?

In other words, is it safe to store something like this:

 if($pass==$row['password']){ // If password was correct
    $_SESSION['pass_ok']='1';
 }

Thanks

A: 

I would advise against it. If someone logs in and copies the session ID down they can theoretically log in to any page. I would instead advise you check the password is okay on every page refresh as this will be more secure.

Additionally, always store passwords hashed in a database, or better yet, hashed with salts.

Thomas O  2010-10-17 09:35:10
How about storing it encrypted in a php session? And the decrypt it everytime, so that the user don't have to enter it everytime they upload a picture?
Camran  2010-10-17 09:43:07
Well, you wouldn't encrypt it; you'd hash it. So you'd pass it through something like sha1, then when the user enters their password verify the passwords match by hashing their input and comparing the two. Store the input they used as a hash in a session or cookie, and verify it against the password in the database.
Thomas O  2010-10-17 09:57:31
Both your answers are bad practices. You should store the PHP session ID, IP, browser ident, and verification that they are authenticated. Then use all that information to approve that the user is valid.
Petah  2010-10-17 11:19:16
Storing a hash in a cookie is a bad practice. I agree. But I was suggesting something that would be better. An even better system would be a sessions system, but not using php sessions, and with a database instead.
Thomas O  2010-10-17 12:49:55
-1 **ALL** web applications must store an logged in state in a session variable. The alternative would be to store the password as your cookie, which is far far worse because now your password is a session id that never expires.
Rook  2010-10-18 03:01:56
Ouch. -2... I think people are misunderstanding me. Sessions and cookies do expire. Said non-PHP sessions would be locked to one IP.
Thomas O  2010-10-18 06:54:45
+1  A: 

Camran, what you are trying to do is a standard way to maintain php sessions. You are actually not storing the password in the session rather just storing the information that this particuar user has already logged in. $_SESSION['pass_ok']='1';

On every page you just have to do a session_start() and check of this session is already set to 1, if yes they assume him to be logged and proceeed, else redirect to login page.

If someone gets hold of the session id then they definitely can access the user session. You can do a few things to make it more secure.

  • Use SSl (https), it will make hard to sniff the data and get your session id
  • maintain the client ip in the session when user logs in, for every request after logging in, check if the requests are coming from same ip
  • Set a short session timeout, so that if left idle for a while the session times out automatically.
Nands  2010-10-17 11:07:52
+1 The user can't modify his own session variables, so often we just put a username in `$_SESSION['user']` or similar if a user is logged in. If that value is missing, the user is anonymous.
Adam Backstrom  2010-10-17 11:11:23
+1  A: 

Use a pre-built authentication system. That your best bet at being secure because they would have (or should have) thought of everything (security issue) already.

Petah  2010-10-17 11:16:23

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?