Lazor, Ed wrote:

>Use sessions.  Create a user_id and pass that as a session variable rather
>than the user's actual login and password.
>-----Original Message-----
>On my site, when a user logs in, their password is encrypted using md5() and
>the username and encrypted password is then passed from page to page using
>hidden form inputs (clicking on a link submits the form using POST).
>Does anyone have any comments on this method e.g. security wise? I know I
>could use sessions or cookies but is it relly necessary?

This is good advice. There are many reasons why, but here's one off the 
top of my head:

When you pass the encrypted password around, you can pretty much 
consider it in the public domain, right? Well, what happens when someone 
else takes that encrypted password (why bother decrypting it?) and 
presents it back to your site? That's right; they're in. This is called 
a presentation attack, and you'd be amazed at how many sites are 
vulnerable to this (I wrote an article a while back about how to break 
into MS Passport using this technique).

How do sessions help against this? Well, they don't solve the problem 
entirely, of course, but the unique ID you pass around won't be the same 
unique ID *every* time that user visits the site. So, you at least have 
a good chance of making the window of time that an imposter has to work 
with very small.

Security is all about making things really hard for potential attackers.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to