Is it safe to store a password in a sessions variable?
For example, usage would be in a form which is submitted to itself.
For example a change classifieds page, where users first enter a password, and then if pass=ok, show the form to change the classified. All on same php-page.
But Whenever a picture is uploaded in the "change" part of the php page, the form must submit to itself again.
Should I here use the stores Session password to verify that the user is actually the user, and that it is secure?
In other words, is it safe to store something like this:
if($pass==$row['password']){ // If password was correct
$_SESSION['pass_ok']='1';
}
Thanks
Camran, what you are trying to do is a standard way to maintain php sessions. You are actually not storing the password in the session rather just storing the information that this particuar user has already logged in.
$_SESSION['pass_ok']='1';
On every page you just have to do a session_start() and check of this session is already set to 1, if yes they assume him to be logged and proceeed, else redirect to login page.
If someone gets hold of the session id then they definitely can access the user session. You can do a few things to make it more secure.
- Use SSl (https), it will make hard to sniff the data and get your session id
- maintain the client ip in the session when user logs in, for every request after logging in, check if the requests are coming from same ip
- Set a short session timeout, so that if left idle for a while the session times out automatically.
Use a pre-built authentication system. That your best bet at being secure because they would have (or should have) thought of everything (security issue) already.
I would advise against it. If someone logs in and copies the session ID down they can theoretically log in to any page. I would instead advise you check the password is okay on every page refresh as this will be more secure.
Additionally, always store passwords hashed in a database, or better yet, hashed with salts.
