LinkBack URL
About LinkBacksI've been working on all this encryption, hashing, and salting but I just noticed that the password is in a $_SESSION in plaintext. Just how safe is this? Should I use some AES-256 so I can retrieve the data or is it fine the way it is?
x10 Sophmore
Simple PHP question
I've been working on all this encryption, hashing, and salting but I just noticed that the password is in a $_SESSION in plaintext. Just how safe is this? Should I use some AES-256 so I can retrieve the data or is it fine the way it is?
Generally Helpful Member
Other than inside your own script, $_SESSION is only viewable by someone who has access to /tmp/ on the server, aka, just the admins. It should be quite safe.
Last edited by garrettroyce; 06-30-2009 at 09:59 PM.
gjr.gr - coming soon: secrets of OCD coding from a self taught tinkerer
x10 Sophmore
Thank for the quick response. I thought is was something like that but just making sure because what use is the use of all the encryption if $_SESSION worked like a cookie?
Generally Helpful Member
It's definitely a good way to think
There is a cookie saved to the user's computer, but it contains no session information, just the session ID.
You can create your own session handler class if you need the utmost security, but it will require a lot of time and programming.
gjr.gr - coming soon: secrets of OCD coding from a self taught tinkerer
x10 Sophmore
All I have is time right now and my utmost interest is security so I'll look into it. Thanks.
Posting Permissions
Reply With Quote