Re: [PHP] storing passwords in $_SESSION
On Tue, 2005-10-11 at 00:25 +0200, Oliver Grätz wrote: Dan Brow schrieb: Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Why don't you leave the decision if they want to type to the user? My browser keeps track of what I entered into every login form I ever visited... This app is going to be in a Doctors office I don't want people storing passwords on systems that have patient records. Dan. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
Richard Davey wrote: Agreed totally, I am curious as to why this question seems to get asked a LOT though. I wonder what it is that causes this? (other than inexperience) I mean there must be some common end result these developers are hoping to obtain, resulting in a password being stashed away in a session var. What about this scenario. A system developed using procedures / functions to update data without direct table access. Bypassing the single user account from the application to the database (which most web based apps use), each procedure requires additional parameters (username,password) which then verifies the user (from a user lookup table) before executing the stored procedure. This makes the system more secure in case the web app username and password is breached which usually has full access to the db. Of course storing it in a session is a no-no, so what I am trying to get at is,perhaps a reason for storing the password somewhere. Your thoughts Richard? Thanks! Warm Regards Terence -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] storing passwords in $_SESSION
How secure is it to save a password in $_SESSION. i.e. $_SESSION['password'] is it safe and is it practical? Thanks, Dan. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] storing passwords in $_SESSION
[snip] How secure is it to save a password in $_SESSION. i.e. $_SESSION['password'] is it safe and is it practical? [/snip] I would think it neither safe nor practical. Once a user has logged in having the password in SESSION would be useless. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
How secure is it to save a password in $_SESSION. i.e. $_SESSION['password'] is it safe and is it practical? Probably not. If you're on a shared server, I could write a PHP script to look in /tmp and read the contents of every session file there... -philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
Hi Dan, Monday, October 10, 2005, 7:43:31 PM, you wrote: How secure is it to save a password in $_SESSION. i.e. $_SESSION['password'] is it safe and is it practical? No, and no (well, not if you want to be safe) More to the point - why would you ever want to? If you've found yourself in a situation where the only option open to you is this, you need to hit the drawing board again and re-design your application. Big time. Cheers, Rich -- Zend Certified Engineer http://www.launchcode.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP] storing passwords in $_SESSION
Hi Jay, Monday, October 10, 2005, 7:36:12 PM, you wrote: I would think it neither safe nor practical. Once a user has logged in having the password in SESSION would be useless. Agreed totally, I am curious as to why this question seems to get asked a LOT though. I wonder what it is that causes this? (other than inexperience) I mean there must be some common end result these developers are hoping to obtain, resulting in a password being stashed away in a session var. I wonder if they're using it (+ a username) to perform a user look-up on every page? The mind boggles. Cheers, Rich -- Zend Certified Engineer http://www.launchcode.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] storing passwords in $_SESSION
Well, um. ya. Back to the drawing board. Save it in a cookie? On Mon, 2005-10-10 at 14:59 -0400, Kilbride, James wrote: If the session expired.. how will session hold their user id?? -Original Message- From: Dan Brow [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 3:05 PM To: PHP-Users Subject: Re: [PHP] storing passwords in $_SESSION Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
Yet another unsafe way... You can try to write a program that reads stored cookies in Temporary Internet Files - it's peace of cake for somebody that is advanced programmer. The best way is to eliminate lazy users - you simply do not implement auto login. It's the fastest, safest and the easiest way to solve the problem. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow [EMAIL PROTECTED] wrote: Well, um. ya. Back to the drawing board. Save it in a cookie? On Mon, 2005-10-10 at 14:59 -0400, Kilbride, James wrote: If the session expired.. how will session hold their user id?? -Original Message- From: Dan Brow [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 3:05 PM To: PHP-Users Subject: Re: [PHP] storing passwords in $_SESSION Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
I was meaning just the username, not the password, still the same issue? On Mon, 2005-10-10 at 21:35 +0200, Emil Novak wrote: Yet another unsafe way... You can try to write a program that reads stored cookies in Temporary Internet Files - it's peace of cake for somebody that is advanced programmer. The best way is to eliminate lazy users - you simply do not implement auto login. It's the fastest, safest and the easiest way to solve the problem. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow [EMAIL PROTECTED] wrote: Well, um. ya. Back to the drawing board. Save it in a cookie? On Mon, 2005-10-10 at 14:59 -0400, Kilbride, James wrote: If the session expired.. how will session hold their user id?? -Original Message- From: Dan Brow [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 3:05 PM To: PHP-Users Subject: Re: [PHP] storing passwords in $_SESSION Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
Oh, just username... That's good idea. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow [EMAIL PROTECTED] wrote: I was meaning just the username, not the password, still the same issue? On Mon, 2005-10-10 at 21:35 +0200, Emil Novak wrote: Yet another unsafe way... You can try to write a program that reads stored cookies in Temporary Internet Files - it's peace of cake for somebody that is advanced programmer. The best way is to eliminate lazy users - you simply do not implement auto login. It's the fastest, safest and the easiest way to solve the problem. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow [EMAIL PROTECTED] wrote: Well, um. ya. Back to the drawing board. Save it in a cookie? On Mon, 2005-10-10 at 14:59 -0400, Kilbride, James wrote: If the session expired.. how will session hold their user id?? -Original Message- From: Dan Brow [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 3:05 PM To: PHP-Users Subject: Re: [PHP] storing passwords in $_SESSION Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Emil NOVAK, razvijalec distribucije Slonix -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
Sorry for the confusion, I should have changed the subject line to reflect my new idea. Thanks. On Mon, 2005-10-10 at 22:03 +0200, Emil Novak wrote: Oh, just username... That's good idea. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow [EMAIL PROTECTED] wrote: I was meaning just the username, not the password, still the same issue? On Mon, 2005-10-10 at 21:35 +0200, Emil Novak wrote: Yet another unsafe way... You can try to write a program that reads stored cookies in Temporary Internet Files - it's peace of cake for somebody that is advanced programmer. The best way is to eliminate lazy users - you simply do not implement auto login. It's the fastest, safest and the easiest way to solve the problem. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow [EMAIL PROTECTED] wrote: Well, um. ya. Back to the drawing board. Save it in a cookie? On Mon, 2005-10-10 at 14:59 -0400, Kilbride, James wrote: If the session expired.. how will session hold their user id?? -Original Message- From: Dan Brow [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 3:05 PM To: PHP-Users Subject: Re: [PHP] storing passwords in $_SESSION Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Emil NOVAK, razvijalec distribucije Slonix -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] storing passwords in $_SESSION
Why not store a cookie and session variable with a randomly generated ID code (see uniqid function in manuals) then just check to see if one is equal to the other on your relogin This way you don't record any personal user information and can still do an autologin type script. - Jeff -Original Message- From: Dan Brow [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 4:51 PM To: PHP-Users Subject: Re: [PHP] storing passwords in $_SESSION Sorry for the confusion, I should have changed the subject line to reflect my new idea. Thanks. On Mon, 2005-10-10 at 22:03 +0200, Emil Novak wrote: Oh, just username... That's good idea. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow [EMAIL PROTECTED] wrote: I was meaning just the username, not the password, still the same issue? On Mon, 2005-10-10 at 21:35 +0200, Emil Novak wrote: Yet another unsafe way... You can try to write a program that reads stored cookies in Temporary Internet Files - it's peace of cake for somebody that is advanced programmer. The best way is to eliminate lazy users - you simply do not implement auto login. It's the fastest, safest and the easiest way to solve the problem. Emil NOVAK LAMP Developer On 10/10/05, Dan Brow [EMAIL PROTECTED] wrote: Well, um. ya. Back to the drawing board. Save it in a cookie? On Mon, 2005-10-10 at 14:59 -0400, Kilbride, James wrote: If the session expired.. how will session hold their user id?? -Original Message- From: Dan Brow [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 3:05 PM To: PHP-Users Subject: Re: [PHP] storing passwords in $_SESSION Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Emil NOVAK, razvijalec distribucije Slonix -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] storing passwords in $_SESSION
Dan Brow schrieb: Thanks, figured that would be the case. Can't for life of me think why I wanted to do that, must have had a brain infarction. I want to have an expired session prompt so people can log back in with out having to start at the login page. Would having the users login saved in $_SESSION be alright? prompt them for their password and compare it with the password in the DB be fine? I want to reduce the amount of typing someone has to do when a session expires. Why don't you leave the decision if they want to type to the user? My browser keeps track of what I entered into every login form I ever visited... AllOLLi We'll draw straws. They're coming. We don't have time to argue about who gets to risk their life. [Locke on LOST 124] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php