user authentication method using sessions

[IndynewToPhp]

Hi,

I've been searching on google for how to implement sessions for user authentication. I've seen two methods.

 

note I know a bit about how sessions work but I do wonder this:

 

One type of example shows using sessions to store both the username, and the users password. Each time a secure page is requested it then takes those session variables and checks the database to see if it's a valid combo each and every time. This seems a bit insecure to me in that you are storing user password on the server...right? Also, it's accessing the database needlessly...right?

 

The other type, and the one that makes sense to me is that the username and password is checked against the database ONCE and if found to be valid a session variable is set to indicate that...for example $_SESSION["access"] = "granted";

and then that session variable is checked on every secure page. Thus the database is only accessed once.

 

Is one method better than the other? If so, why?

 

Thanks!

 

[sellfisch]

I prefer the secound one, because it doesn't take so much db querys (in the first solution you send a query for every page)

[jackpf]

The only problem is if someone decides to edit their session cookies after they've been "granted".

 

They might be able to change their sessions to someone elses.

 

There's loads of info about session hijacking on google.

[WolfRage]

But so long as you do not bear the session variable to the user then the session variables should be safe. But if you are on a shared host then you need to store your sessions in a secure folder, or on the database, which will result in the high number of inquires. To prevent Hijacking you will need to use extra means of user validation. Like using a coded cookie or two and user browser integrity.