Richard_Grant Posted September 15, 2014 Share Posted September 15, 2014 I have a login system Username and Password. My password is encrypted with bcrypt, if it okay to store that bcrypt in a session as $_SESSION["hash"] To verify that the user is who they say they are? Or do i only need to do $_SESSION["username"] Quote Link to comment Share on other sites More sharing options...
Richard_Grant Posted September 15, 2014 Author Share Posted September 15, 2014 (edited) The answer to this post describes my situation. http://stackoverflow.com/questions/4451398/is-it-safe-to-keep-the-user-password-hash-on-session-php It should be safe, since a client can only access his own session values. But you should: make sure the client cannot access it use another encryption, I wouldn't consider md5 safe, better use SHA-512 or something else. But most importantly: Do you really need the hash in your session? If the user has been authenticated, he will always receive the same session (if your server is configured correctly). If you are anxious about session hijacking, you are going down the wrong path. Edited September 15, 2014 by Richard_Grant Quote Link to comment Share on other sites More sharing options...
requinix Posted September 15, 2014 Share Posted September 15, 2014 To verify that the user is who they say they are?The session is entirely under your control. You don't have to re-verify a user every single time: do it once during login and only store the user information if it's good. If the information is there then the user logged in successfully, and if the information isn't then the user hasn't logged in. It "should be safe", yes, but don't do it. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 15, 2014 Share Posted September 15, 2014 (edited) It is not safe, and it's complete nonsense. First of all, please stop using the term “encryption” for a hash. Hashing is not encryption at all. In fact, when you see other people get those fundamental concepts wrong, that's a sure sign you do not want to follow their advice (besides the fact that the reply you've quoted is 4 years old). On the average server, sessions are pretty much the unsafest place you can think of: The session files are sitting in some temporary folder for an indefinite amount of time. They're completely unprotected and may be read by anybody (at least any web application). Sessions may unwillingly be transferred from one user to another, be it due to session hijacking, session fixation or whatever. Password hashes must be protected, not spread accross the system like friggin' Easter eggs. But what's even more important: The whole thing makes absolutely no sense whatsoever. Comparing the hash in the session with the hash in the database proves nothing. In fact, this check always succeeds, because if a session contains the data of a certain user, then of course the hash also belongs to that user (unless there's something very wrong with your application). The idea of storing the password hash in the session isn't new. I've seen many people suggest it. Unfortunately, I think none of them has actually thought it through. Edited September 15, 2014 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.