Hi, do not worry, i will not store a password in a cookie. it is stored encrypted into database. Al. On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote:
Alain Roger wrote: > I would like to implement a module access rights in my web application. > Basically after authentication and authorization. Logged user has a > particular profile which allow him to have access to some part of the web > application. > > after reading the security guide from *php*sec.org webpage, i'm confused > regarding how to store user login and password. > I mean the encrypted password stored in database is compared to encrypted > password that user type. > > But where to store login and password once user is logged ? > > when i read the security guide it seems that it is not secured enough to > store them in cookies or in sessions data... > both can be hacked... So what is the best solution ? > > i will use those stored data to check if logged user can have access to a > particular part of the web application. > > What is your point of view in such domain ? Ok, once the user has logged in there is no need to store the password. Simply store the username or other user details (but not the password) in the session - that's as secure as it's gonna get. *Never* store a password in a cookie. *Ever*. -Stut
-- Alain ------------------------------------ Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
