Alain Roger wrote:
I would like to implement a module access rights in my web application.
Basically after authentication and authorization. Logged user has a
particular profile which allow him to have access to some part of the web
application.
after reading the security guide from *php*sec.org webpage, i'm confused
regarding how to store user login and password.
I mean the encrypted password stored in database is compared to encrypted
password that user type.
But where to store login and password once user is logged ?
when i read the security guide it seems that it is not secured enough to
store them in cookies or in sessions data...
both can be hacked... So what is the best solution ?
i will use those stored data to check if logged user can have access to a
particular part of the web application.
What is your point of view in such domain ?
Ok, once the user has logged in there is no need to store the password.
Simply store the username or other user details (but not the password)
in the session - that's as secure as it's gonna get.
*Never* store a password in a cookie. *Ever*.
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
