Ian McIntyre Silber
Reputation: 5663
Setting logged in SESSION data - security?
I'm wondering how secure the below code is:
if ($username == $user->username && $password == $user->password) {
$_SESSION['loggedIn'] = true;
$_SESSION['userId'] = $user->userId;
}
Basically, would there be any way for someone to fake the SESSION variable (besides actually stealing a users cookie)?
Upvotes: 3
Views: 105
Answers (1)
Kyle
Reputation: 2018
Seems fine to me. Just don't store the password or sensitive data in the session in case someone does steal the session id. I believe most of the security risks take place in getting the password to the server securely.
Also, you should store your password hashed at least. Making it (assuming $user->password is hashed using sha1) sha1($password) == $user->password
Upvotes: 1
Related Questions
- Is storing user ID in a session secure?
- Security for login by session in php
- PHP - Sessions - Security
- PHP: a secure way to keep login information
- PHP User Authentication with Sessions
- Securing PHP $_SESSION data?
- What do I need to store in the php session when user logged in?
- Session Security?
- How to securely set session variables for logging someone in?