0

During login I am fetching the password from the database for comparison with the user entered password, and if the comparison is successful, then I am storing that password into a variable using Setter method for further use in change password method.

In change Password method I need to compare the user entered value for old password with the current password stored in the database. So I am using the value stored in that variable using the getter method which was set during the successful login.

I just need to know whether these approach is correct or I need to call the database again for the password during?

LoicTheAztec
  • 229,944
  • 23
  • 356
  • 399
bhoomi
  • 11
  • 1
  • 2
    If I understand you correctly, you are storing passwords in plain text. Please don't do this. Do some research on the topic of storing and comparing password hashes. – reto May 18 '16 at 11:05
  • In essence the correct approach for anything security related is to **first** do a lot of reading and studying. You better **not** start with coding your naive ideas. This is not meant as an insult; instead: getting security right is **hard**. You shouldn't write a single line of code until you **really** diged into the whole subject for some time. In other words: a person who is really about to write such code ... should not need to ask such questions. – GhostCat May 18 '16 at 11:21
  • No, I am storing the hashed value of the password. – bhoomi May 18 '16 at 11:23
  • wrt what reto said: https://crackstation.net/hashing-security.htm for some background and http://stackoverflow.com/a/2861125/995891 for an PBKDF2 example in java. I would also try to ensure that you change passwords in a database atomically so you don't accidentally accept an old password that was already replaced elsewhere (in another browser tab or so). I.e. don't trust your cache and do call the database again when you need to verify that the password is correct. – zapl May 18 '16 at 11:24

2 Answers2

0

If your application able to login with different system with same user then this approach is very dangerous because after login from one system I am able to change password from another system which is not reflected with first login and now I am able to change password with both system which is wrong (cause new password not stored in login variable of another account). so I would like to suggest Check from database while.

Pankaj Saboo
  • 1,125
  • 1
  • 8
  • 27
0

dont store password locally, just create another page/method/action to compare it. you can use some encryptions to your password like base change or some other available library, make it more safe,if you are storing them locally. i will suggest not to store them.

Shaurya
  • 136
  • 1
  • 4
  • 20