0

I just built a simple login system that uses sessions. When the script verifies that the username and password are both correct, it sets $_SESSION[username] and $_SESSION[role], and then on every page of the site it just checks whether these 2 session variables are set.

Considering that the server handles the sessions, this should be a secure solution, right? Or should I set $_SESSION[md5(password)] as well when logging in, and then check on each page of the site whether all session variables match the user data in the database?

Lukas Hajdu
  • 806
  • 7
  • 18
Jeff
  • 165
  • 11
  • The data on the server is relatively safe, but there is still just a cookie on the client. If anyone gets that, they can impersonate as the user. You won't get any extra security by storing the hash of the password in the session, since it's improbably that anyone would take the trouble of actually breaking into the server and then use the site, since they could just attack the database/system directly. – Sami Kuhmonen Apr 21 '15 at 10:25

2 Answers2

2

Storing the password in your session is a bad idea, it also doesn't add any security to your website, since sessions are managed by the server.

You are however still vulnerable for session hijacking. Take a look at this question to learn more about how to prevent it.

Community
  • 1
  • 1
vdwijngaert
  • 1,515
  • 11
  • 24
  • Thanks for the answer! I will address that problem immediately. Is session hijacking the only security concern? – Jeff Apr 21 '15 at 10:24
  • 1
    You should also use a different hashing algorithm than md5, it is easily reversible. Check this answer: http://stackoverflow.com/a/401684/2427543. – vdwijngaert Apr 21 '15 at 10:31
1

Don't store passwords outside your database. Don't even return passwords from your database. All you should need to get for session storage is the userID. store that in the session and use it to lookup role level and name data when required. If you are concerned about someone hacking the session data and changing the userID number then you can store a hash of the userID number in the session aswell (I recommend using something a bit more secure than a simple md5 though, there are plenty of rainbow tables around for that nowadays) and compare the hash in the session to the hash of the userID at lookup and verify nothing untoward has been happening.

MuppetGrinder
  • 234
  • 1
  • 8