Jump to content

Recommended Posts

I have a login system Username and Password.

 

My password is encrypted with bcrypt, if it okay to store that bcrypt in a session as $_SESSION["hash"]

 

To verify that the user is who they say they are?

 

Or do i only need to do

$_SESSION["username"]

The answer to this post describes my situation.

http://stackoverflow.com/questions/4451398/is-it-safe-to-keep-the-user-password-hash-on-session-php

 

 

It should be safe, since a client can only access his own session values. But you should:

  1. make sure the client cannot access it
  2. use another encryption, I wouldn't consider md5 safe, better use SHA-512 or something else.

But most importantly: Do you really need the hash in your session? If the user has been authenticated, he will always receive the same session (if your server is configured correctly). If you are anxious about session hijacking, you are going down the wrong path.

Edited by Richard_Grant

To verify that the user is who they say they are?

The session is entirely under your control. You don't have to re-verify a user every single time: do it once during login and only store the user information if it's good. If the information is there then the user logged in successfully, and if the information isn't then the user hasn't logged in.

 

It "should be safe", yes, but don't do it.

It is not safe, and it's complete nonsense.

 

First of all, please stop using the term “encryption” for a hash. Hashing is not encryption at all. In fact, when you see other people get those fundamental concepts wrong, that's a sure sign you do not want to follow their advice (besides the fact that the reply you've quoted is 4 years old).

 

On the average server, sessions are pretty much the unsafest place you can think of:

  • The session files are sitting in some temporary folder for an indefinite amount of time. 
  • They're completely unprotected and may be read by anybody (at least any web application).
  • Sessions may unwillingly be transferred from one user to another, be it due to session hijacking, session fixation or whatever.

Password hashes must be protected, not spread accross the system like friggin' Easter eggs.

 

But what's even more important: The whole thing makes absolutely no sense whatsoever. Comparing the hash in the session with the hash in the database proves nothing. In fact, this check always succeeds, because if a session contains the data of a certain user, then of course the hash also belongs to that user (unless there's something very wrong with your application). 

 

The idea of storing the password hash in the session isn't new. I've seen many people suggest it. Unfortunately, I think none of them has actually thought it through.

Edited by Jacques1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.