pass the password or the $token?

[freelance84]

OK I have another question on $_SESSION.

 

After my "check_login" script has got the entered username and password, stripped any slashes...etc, I then add some salting to the password and run it through "sha1", the end product is called $token and this should then match the password stored in the members table in MySQL.

 

The book I am using says to pass the original password to the $_SESSION['password']. Should I not be passing the $token as the password instead as this is what is stored in the members table, and is more secure? Or would this actually make it less secure as I would be passing the actual password stored in the table?

[PFMaBiSmAd]

Storing the password or the sha1 of the salted password in a session variable does not make sense because that does not uniquely identify the visitor (many users could have the same password.)

 

Storing the username or userid in a session variable is what is normally used to identify a logged in visitor.

[freelance84]

No sorry, I'm also storing the in the $_SESSION the username, user type, forname and surname.

 

So i can gather that once the password has been checked at the start there is no need for it to be passed on in the $_SESSION unless required later on in the site? That actually makes more sense.