0

I am making a new application and I was looking into the $_SESSION data after logging in. I saw that I can find my password in hash there?!?! Like why? I want to remove the password from the $_SESSION but I don't know how I can do that. enter image description here

The weirdest thing is: I followed the CMS tutorial from the cookbook.

What I did? I changed my User entity to the following code without any results: enter image description here

Does someone know what I can do to remove the password from the session? Its really really unsafe to store the password there....

Sander van Hoogdalem
  • 25
  • 7
  • Please explain why it is unsafe to store the hash in the session but it is safe to store it in a database. – KIKO Software Mar 02 '23 at 16:00
  • A session is stored in a cookie, which is easier to hack than an average database... I worked with frameworks as laravel before and they don't store the hash in the session – Sander van Hoogdalem Mar 02 '23 at 16:04
  • Normally the session would be stored on the server, like a database. The cookie on the client's computer is only a reference to the session on the server. – KIKO Software Mar 02 '23 at 16:05
  • So it's not a big deal? Because I don't want security risks – Sander van Hoogdalem Mar 02 '23 at 16:08
  • I don't think it's a big deal, as long as your server is secure. Sessions often contain sensitive data. – KIKO Software Mar 02 '23 at 16:09
  • If you want to improve security you could protect the session ID cookie against [session hijacking](https://stackoverflow.com/questions/6483092/php-session-hijacking). – KIKO Software Mar 02 '23 at 16:12
  • The session is NOT stored in a cookie. The session *ID* is stored in a cookie. The session data itself is only ever on the server. – Greg Schmidt Mar 02 '23 at 16:40

0 Answers0