What to store in a session

Question

If a user successfully enters a password and username, and you want to set the session, what data should the session contain? I'm quite confused about this, I've read that it should be a randomly generated string, can I store hashed user_id + salt? I want to be able to verify that this is indeed the correct user:

The form:

<form method="POST" action="">
<input type="hidden" name="auth_token" value="<?php echo $form_token; ?>">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit" name="action" value="Login">
</form>

I want to do something like the following:

if form token in session = form_token var in form
  if username and password are correct
    set session hash(user_id + salt)

Edit: Forgot to add, it'll most likely be on shared hosting.

Answer 1

Is there a reason for avoiding a simple boolean to indicate that a user has been authenticated? If not, then I'd suggest:

<?php

if ($_POST["username"] == 'test' && $_POST["password"] == 'test') {
   $_SESSION['authenticated'] = true;
}

?>

Answer 2

Some people would just store the ID. Your idea of a salted hash version of that would suffice as well, but seems like overkill. On subsequent page loads, verify the ID against the database.

Answer 3

You could simply store the user ID in the session array. Only the session ID cookie is sent to the browser, and the 'outside world' is unaware of what's stored in the session itself. Storing something to show that a user is authenticated is handy too.

Never store plaintext passwords, anywhere.

$_SESSION["UserAuthenticated"] = true;
$_SESSION["UserID"] = $userID;

Answer 4

Your session should contain the user's username or other internal user ID.

There's no need to hash, salt, etc., as the session data is stored on your server, not the user's machine as a cookie. There's also no need to store the password in any form, as you've already authenticated them.