Danny620 Posted August 15, 2009 Share Posted August 15, 2009 would it be safe to store a sha1 password in a session would it be hackable and even if they did hack it would they be able to decript it and use it to login Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/ Share on other sites More sharing options...
wildteen88 Posted August 15, 2009 Share Posted August 15, 2009 No one can read the contents of a session. All session data is stored on the server. Why are saving the password in the session? Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-898826 Share on other sites More sharing options...
Danny620 Posted August 15, 2009 Author Share Posted August 15, 2009 because i want to check the username and the password to make sure its them not just check one Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-898829 Share on other sites More sharing options...
PFMaBiSmAd Posted August 15, 2009 Share Posted August 15, 2009 I've got to ask the same thing. Why store the password (or a hashed version of it) in a session? The only time you care what a password is, is when a visitor enters it in order to authenticate who they are. Once you match the password (or a hashed version of it) with what has been previously stored on the server (in a database or flat-file), you store a value in a session that says the current visitor is authenticated (usually a session variable that holds their username), you don't deal with the password again unless you need the visitor to re-authenticate who they are again. Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-898831 Share on other sites More sharing options...
wildteen88 Posted August 15, 2009 Share Posted August 15, 2009 You would only check the username/password when they login not for every page they view. Instead when they login successfully define a new session variable called is_logged_in and set it to true. Now on every page that requires the user to be logged have the following at the top of the page. <?php session_start() // check if they are logged in if(!isset($_SESSION['is_logged_in']) || isset($_SESSION['is_logged_in']) && $_SESSION['is_logged_in'] != true) { header('Location: login.php'); exit; } // code for page here When they logout destroy the session or unset the is_logged_in session variable. Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-898833 Share on other sites More sharing options...
Danny620 Posted August 15, 2009 Author Share Posted August 15, 2009 does this have to be set on logging $_SESSION['is_logged_in'] like when i user logos in i set it then if(!isset($_SESSION['is_logged_in']) || isset($_SESSION['is_logged_in']) && $_SESSION['is_logged_in'] != true) { header('Location: login.php'); exit; } Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-899024 Share on other sites More sharing options...
wildteen88 Posted August 15, 2009 Share Posted August 15, 2009 Please reply to this thread. No need to start a new thread Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-899028 Share on other sites More sharing options...
Danny620 Posted August 15, 2009 Author Share Posted August 15, 2009 sorry but i dont understand do i have to set this var Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-899031 Share on other sites More sharing options...
wildteen88 Posted August 15, 2009 Share Posted August 15, 2009 sorry but i dont understand do i have to set this var Yes you need to set this variable when they successfully login, eg $_SESSION['is_logged_in'] = true; Please if you have any more questions continue in your previous thread. Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-899113 Share on other sites More sharing options...
Daniel0 Posted August 16, 2009 Share Posted August 16, 2009 I've merged the two topics. Quote Link to comment https://forums.phpfreaks.com/topic/170387-session-question/#findComment-899305 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.