{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 爷、活的狠高调 的问题《Is it secure to store a password in a session? [du》','https://www.manongdao.com/q-95970.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
This question already has an answer here:
I need to use the password often in a session. I'm crypting my userdata with a key that is crypted by the password. So there is my question. Is it secure to store plaintext passwords in a php session (not a cookie, so non clientside)? Is there a better way? Or should i just ask my user every time for the password?
I encrypt the privatekey of rsa with the userpassword using phpseclib. Everytime I want access to the key I need the password. I have two options: Either I store the password or the key which is I think both not really good. I can't use the passwordhash for the encryption, cause the hash is stored in "plaintext" in the database...
Never store any kind of sensitive data anywhere except the database you should generally avoid using
MD5andSHAfamily directly.Then Whats the Solution ?
If you are implementing Authentication system then compare then Client information (generally username and password) then create a special token and then save it to session or cookie.
Example
Comparing token
If doing so and when hackers get access to your server, they will see the passwords in plain text. Never store plain text passwords (wherever)
About the general question. You ask the user once for the password and verify the crypted password against a crypted password stored - let's say in a database. If they are the same then you start a new session. When the user next tries to access your site, you'll check if a session for this user exists. So there is no need to store the password in the session.
Never store passwords in plaintext. Aside from that: yes, sessions are safe. Sessions are stored on the server. The session data itself is never sent to the browser.
Whether it is wise or even necessary to store a password in a session, probably not. Maybe for caching reasons but even then it's flakey.
Keeping plaintext passwords anywhere in any capacity is usually a bad idea. Sessions are safe as such, but only as safe as the rest of your server environment. Administrators or other users both legitimate and nefarious may have access to data stored on it. You never want to handle the secrets of your customers if you can avoid it; that also means you want to avoid seeing the user's password under any circumstances and you should build your code in a way that the plaintext password is as short lived as technically possible.
If you need to use the password for something during a session, you should architect your app so it never uses the plaintext password, but use a key derivation function to derive a key from the password which you then use for your sensitive tasks. This way there's a lot less chance to expose the user's password. Remember, the only security the user has is the secrecy of his password that only he is supposed to know.