By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,643 Members | 1,797 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,643 IT Pros & Developers. It's quick & easy.

What should I put in session

P: n/a
Hello,

I'm trying to create login system. I need some advices. Should I put
Username and Password in session, and then check database for correct
combination on every page, or should I just put userid in session, and
then create queries.

My sessions looks like this:

uid|s:5:"admin";pwd|s:5:"test";

Am I on the right track. Should i maybe put my password in session as
MD5. Is it possible BTW.

TNX

Jul 17 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
"dr. zoidberg" <so*****@example.wrong> schrieb:
I'm trying to create login system. I need some advices. Should I put
Username and Password in session, and then check database for correct
combination on every page, or should I just put userid in session, and
then create queries.


The question is, what you want to do with the password after the user
logged in. Do you have the need to store the password in the session for
whatevver reasons? Then store it. If not, not. :-) My sites don't need
it.

Regards,
Matthias
Jul 17 '05 #2

P: n/a
Hi there, doc:
Two things to note.

1) Really all you need to store in the session is some flag saying that the
user is successfully logged in. Do be careful with register_globals here.
If you're going to hit the database every time, which I don't think is
necessary, you only really need that database connection to stay in the
session (If you really want tight security, perhaps include some way to
change session IDs every now and then to avoid session-stealing, but this
comes after make sure passwords are not transmitted as cleartext, etc.)

2) For an easy to use login system, check out:
http://frymaster.dyndns.org/php-lib-login/index.html

Cheers,

Eric

"dr. zoidberg" <so*****@example.wrong> wrote in message
news:dT***************@ns45.bih.net.ba...
Hello,

I'm trying to create login system. I need some advices. Should I put
Username and Password in session, and then check database for correct
combination on every page, or should I just put userid in session, and
then create queries.

My sessions looks like this:

uid|s:5:"admin";pwd|s:5:"test";

Am I on the right track. Should i maybe put my password in session as
MD5. Is it possible BTW.

TNX

Jul 17 '05 #3

P: n/a
Eric Ellsworth wrote:
Hi there, doc:
Two things to note.

1) Really all you need to store in the session is some flag saying that the
user is successfully logged in. Do be careful with register_globals here.
If you're going to hit the database every time, which I don't think is
necessary, you only really need that database connection to stay in the
session (If you really want tight security, perhaps include some way to
change session IDs every now and then to avoid session-stealing, but this
comes after make sure passwords are not transmitted as cleartext, etc.)


I can only use http. Can any body recommend good way of transmitting the
passwords?

Jul 17 '05 #4

P: n/a
Well, if you really want to be super-secure, you should use an https:
connection and also a challenge response system, like so.

Your initial password page and subsequent login page can send the javascript
version of md5, which can be found here:
http://pajhome.org.uk/crypt/md5/md5.js

Initial account creation:
Before your form is submitted, whatever plaintext the user entered is
md5'ed, and then stored in the database in md5-ed form. Without https: this
phase does leave the possibility that this md5 hash could be intercepted,
though it is nice that your user's original password is not easily
retrievable. Store the md5ed version of the password rather than plaintext
so that the user's plaintext password (which is often the same for many
sites) cannot be retrieved.

After the user account has been created, your login page then sends a random
token (which is written into a separate session variable). something like
the system time plus a word is a good choice, and you can write it into <
input type=hidden value="token_string">. Then, before the form is
submitted, the user's password is md5'ed, then concatenated with the token,
then md5ed again. On the server side, you take the token and the md5 hash
of the password from the database and concatenate and md5. Compare what the
form sends with this value. Voile - basic challenge-response system. The
token serves as the "public key" in the challenge.

Hope this helps,

Eric

"dr. zoidberg" <so*****@example.wrong> wrote in message
news:X5****************@ns45.bih.net.ba...
Eric Ellsworth wrote:
Hi there, doc:
Two things to note.

1) Really all you need to store in the session is some flag saying that the user is successfully logged in. Do be careful with register_globals here. If you're going to hit the database every time, which I don't think is
necessary, you only really need that database connection to stay in the
session (If you really want tight security, perhaps include some way to
change session IDs every now and then to avoid session-stealing, but this comes after make sure passwords are not transmitted as cleartext, etc.)


I can only use http. Can any body recommend good way of transmitting the
passwords?

Jul 17 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.