freelance84 Posted April 22, 2010 Share Posted April 22, 2010 OK I have another question on $_SESSION. After my "check_login" script has got the entered username and password, stripped any slashes...etc, I then add some salting to the password and run it through "sha1", the end product is called $token and this should then match the password stored in the members table in MySQL. The book I am using says to pass the original password to the $_SESSION['password']. Should I not be passing the $token as the password instead as this is what is stored in the members table, and is more secure? Or would this actually make it less secure as I would be passing the actual password stored in the table? Quote Link to comment https://forums.phpfreaks.com/topic/199376-pass-the-password-or-the-token/ Share on other sites More sharing options...
PFMaBiSmAd Posted April 22, 2010 Share Posted April 22, 2010 Storing the password or the sha1 of the salted password in a session variable does not make sense because that does not uniquely identify the visitor (many users could have the same password.) Storing the username or userid in a session variable is what is normally used to identify a logged in visitor. Quote Link to comment https://forums.phpfreaks.com/topic/199376-pass-the-password-or-the-token/#findComment-1046381 Share on other sites More sharing options...
freelance84 Posted April 22, 2010 Author Share Posted April 22, 2010 No sorry, I'm also storing the in the $_SESSION the username, user type, forname and surname. So i can gather that once the password has been checked at the start there is no need for it to be passed on in the $_SESSION unless required later on in the site? That actually makes more sense. Quote Link to comment https://forums.phpfreaks.com/topic/199376-pass-the-password-or-the-token/#findComment-1046387 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.