Configuring SESSION Logged Data - Security?

Question

Configuring SESSION Logged Data - Security?

I am wondering how secure the code below is:

if ($username == $user->username && $password == $user->password) {  
    $_SESSION['loggedIn'] = true;
    $_SESSION['userId'] = $user->userId;
}

Basically, can anyone fake the SESSION variable (besides actually stealing the user's cookies)?

+3

security authentication php

Ian McIntyre Silber 21 sept '10 at 2:40

source share

1 answer

Kyle · Answer 1 · 2010-09-21T02:46:24+0000

I feel good. Just do not store the password or sensitive data in the session if someone has stolen the session ID. I believe that most of the security risks arise when a password is securely received on the server.

In addition, you should keep your hashed password at a minimum. Do this (assuming $ user-> password hashed using sha1)sha1($password) == $user->password

Configuring SESSION Logged Data - Security?

More articles: