PHP Should you session password

Question

I am building a website that requires the user to enter email, password and full name. I am using email and password as login requirements.

Currently, I am using session variables to pass email and password (not hashed/salted) from login.php to index.php and other php pages. (hashed and salted in database)

Every time the user enters into another page, it will check the user's email and password session variables again.

Is it secure to use session variable to store email and password? If not, how can I make it more secure?

http://stackoverflow.com/questions/19594202/is-it-secure-to-store-a-password-in-a-session — Sam Segers, Sep 27 '15 at 00:33

score 4 · Accepted Answer · edited May 23 '17 at 12:29

See -- Is it secure to store a password in a session? -- regarding this, but also you should be aware of how it is easy to not have to do this.

The reason why you may find most people not doing this, secure or not, is because you are verifying a login on every page load forcing unnecessary checking from page to page and database calls. If I may offer a simpler solution that will make the question obsolete, consider the following code ::

Once the user has successfully logged in on the login page, add a session variable like so ::

$_SESSION['loggedin'] = 1;

Then on different pages you can take out this extraneous password checking code and simply do

if( $_SESSION['loggedin'] != 1 ) {
    die('You are not logged in'); // or redirect to login page
}

In this example we are taking a very simplistic approach, but this should help you get started on the logic needed to avoid this type of practice of storing passwords in sessions.

Thanks! I think i know what to do now. – HsuanWei Fu Sep 27 '15 at 01:04 — HsuanWei Fu, Sep 27 '15 at 01:04

PHP Should you session password

1 Answers1