Jump to content

pass the password or the $token?


freelance84

Recommended Posts

OK I have another question on $_SESSION.

 

After my "check_login" script has got the entered username and password, stripped any slashes...etc, I then add some salting to the password and run it through "sha1", the end product is called $token and this should then match the password stored in the members table in MySQL.

 

The book I am using says to pass the original password to the $_SESSION['password']. Should I not be passing the $token as the password instead as this is what is stored in the members table, and is more secure? Or would this actually make it less secure as I would be passing the actual password stored in the table?

Link to comment
https://forums.phpfreaks.com/topic/199376-pass-the-password-or-the-token/
Share on other sites

Storing the password or the sha1 of the salted password in a session variable does not make sense because that does not uniquely identify the visitor (many users could have the same password.)

 

Storing the username or userid in a session variable is what is normally used to identify a logged in visitor.

No sorry, I'm also storing the in the $_SESSION the username, user type, forname and surname.

 

So i can gather that once the password has been checked at the start there is no need for it to be passed on in the $_SESSION unless required later on in the site? That actually makes more sense.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.