Hidden Form Element Password Safety

Question

I have a form that has to pass data across two pages.

On page 1 the user fills in a few details. Page 2 presents them with a confirmation screen where they can either agree or go back and edit their details.

On page 2 the values from page 1 are stored in hidden form fields.

E.g.

<input type="hidden" name="user_email" value="email@test.com" />

When the user hits submit on page 2 some PHP code runs and they're added to the site.

On page 1 the user enters a password and my concern is how I handle this on page 2. I don't think outputting it in the hidden form field is a good idea. The PHP that runs will hash this password anyway so I was thinking of hashing it between page 1 and page 2 so that the hidden form field's value is the hashed version instead of plain text. Is there an even better way I could be doing this?

Answer 1

Use session variables to store this information, never pass it back to the page as hidden form fields. $_SESSION

Answer 2

You can use password_hash() and can store the password in session or cookie

OR can store the user data in database and add user_id in session and use that id for later updation of fields.

Answer 3

Input the data inserted in page 1 into a database table (called pending_user_register or something) that has a unique hash (don't just use the unique ID) and then reference the unique hash in the hidden text field instead?

Or go the simple route and use $_SESSION.

Or, use the above method but instead of a hidden field put it in the $_SESSION.