473,386 Members | 1,734 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > what should i put in session

Join Bytes to post your question to a community of 473,386 software developers and data experts.

What should I put in session

Hello,

I'm trying to create login system. I need some advices. Should I put
Username and Password in session, and then check database for correct
combination on every page, or should I just put userid in session, and
then create queries.

My sessions looks like this:

uid|s:5:"admin";pwd|s:5:"test";

Am I on the right track. Should i maybe put my password in session as
MD5. Is it possible BTW.

TNX

Jul 17 '05 #1
4 5685
"dr. zoidberg" <so*****@example.wrong> schrieb:
I'm trying to create login system. I need some advices. Should I put
Username and Password in session, and then check database for correct
combination on every page, or should I just put userid in session, and
then create queries.


The question is, what you want to do with the password after the user
logged in. Do you have the need to store the password in the session for
whatevver reasons? Then store it. If not, not. :-) My sites don't need
it.

Regards,
Matthias
Jul 17 '05 #2
Hi there, doc:
Two things to note.

1) Really all you need to store in the session is some flag saying that the
user is successfully logged in. Do be careful with register_globals here.
If you're going to hit the database every time, which I don't think is
necessary, you only really need that database connection to stay in the
session (If you really want tight security, perhaps include some way to
change session IDs every now and then to avoid session-stealing, but this
comes after make sure passwords are not transmitted as cleartext, etc.)

2) For an easy to use login system, check out:
http://frymaster.dyndns.org/php-lib-login/index.html

Cheers,

Eric

"dr. zoidberg" <so*****@example.wrong> wrote in message
news:dT***************@ns45.bih.net.ba...
Hello,

I'm trying to create login system. I need some advices. Should I put
Username and Password in session, and then check database for correct
combination on every page, or should I just put userid in session, and
then create queries.

My sessions looks like this:

uid|s:5:"admin";pwd|s:5:"test";

Am I on the right track. Should i maybe put my password in session as
MD5. Is it possible BTW.

TNX

Jul 17 '05 #3
Eric Ellsworth wrote:
Hi there, doc:
Two things to note.

1) Really all you need to store in the session is some flag saying that the
user is successfully logged in. Do be careful with register_globals here.
If you're going to hit the database every time, which I don't think is
necessary, you only really need that database connection to stay in the
session (If you really want tight security, perhaps include some way to
change session IDs every now and then to avoid session-stealing, but this
comes after make sure passwords are not transmitted as cleartext, etc.)


I can only use http. Can any body recommend good way of transmitting the
passwords?

Jul 17 '05 #4
Well, if you really want to be super-secure, you should use an https:
connection and also a challenge response system, like so.

Your initial password page and subsequent login page can send the javascript
version of md5, which can be found here:
http://pajhome.org.uk/crypt/md5/md5.js

Initial account creation:
Before your form is submitted, whatever plaintext the user entered is
md5'ed, and then stored in the database in md5-ed form. Without https: this
phase does leave the possibility that this md5 hash could be intercepted,
though it is nice that your user's original password is not easily
retrievable. Store the md5ed version of the password rather than plaintext
so that the user's plaintext password (which is often the same for many
sites) cannot be retrieved.

After the user account has been created, your login page then sends a random
token (which is written into a separate session variable). something like
the system time plus a word is a good choice, and you can write it into <
input type=hidden value="token_string">. Then, before the form is
submitted, the user's password is md5'ed, then concatenated with the token,
then md5ed again. On the server side, you take the token and the md5 hash
of the password from the database and concatenate and md5. Compare what the
form sends with this value. Voile - basic challenge-response system. The
token serves as the "public key" in the challenge.

Hope this helps,

Eric

"dr. zoidberg" <so*****@example.wrong> wrote in message
news:X5****************@ns45.bih.net.ba...
Eric Ellsworth wrote:
Hi there, doc:
Two things to note.

1) Really all you need to store in the session is some flag saying that the user is successfully logged in. Do be careful with register_globals here. If you're going to hit the database every time, which I don't think is
necessary, you only really need that database connection to stay in the
session (If you really want tight security, perhaps include some way to
change session IDs every now and then to avoid session-stealing, but this comes after make sure passwords are not transmitted as cleartext, etc.)


I can only use http. Can any body recommend good way of transmitting the
passwords?

Jul 17 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

13
$_SESSION problem - page reload creates new Session ID
by: Mimi | last post by:
Hello, I am having trouble using the session vars in PHP 4.3.9 OS: Win XP Prof Web Server IIS (is local and there are no links to other servers from the web pages I work on) Browser: IE 6.0 ...
PHP
2
What Session Data to Capture
by: Hugh McLaughlin | last post by:
Hello everyone and thanks for your help in advance. I am working on an application to track visitors to my website. However, I am confused as to what data to capture for the session, specifically...
.NET Framework
8
Loosing session variables
by: Radu Colceriu | last post by:
HI, I've an asp.net app like this: login.aspx (no frame) :- save in session the user and pass -> framedoc.html :- frameset 2 content 1. menu.aspx...
ASP.NET
4
session state advice
by: Elliot M. Rodriguez | last post by:
I am seeking some advice on an issue I am facing concerning session state. I have an app that relies on 2 session values being set at the start. These session values set the stage for data that...
ASP.NET
5
Share session between secure and non-secure applications
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for...
ASP.NET
8
Problem with a session
by: Nacho | last post by:
Hello people I have the following problem I have a private area in my site. The user enters the username and password, then clicks "enter" and the session is created and also a session...
PHP
11
Session_OnEnd() - what session?
by: David Thielen | last post by:
Hi; Is there some kind of session ID variable that I can get in the code behind and that is available in Session_OnEnd() to know what session ended? -- thanks - dave...
ASP.NET
6
session.remove vs session.contents.remove
by: tshad | last post by:
Is there a reason to use session.remove over session.contents.remove? Don't they both remove the key and data from the contents collection? I assume that session(x) = nothing does essentially...
ASP.NET
2
Properties settings works on XP, but not Vista. What gives?
by: Thomas Thomassen | last post by:
Hi I made a screensaver in C# as a test project. At the time of creation I used XP and everything worked fine. Then I got a message from someone using Vista about an issue where the settings...
C# / C Sharp
2
HELP! - Session Start, Session End
by: Dan Colgan | last post by:
Hi, I am thoroughly fed up. I have been trying for a few weeks to get an understanding of when events for session and application fire and why they don't for me. I am understanding the...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!