On 3/4/07, Stut <stuttle@xxxxxxxxx> wrote:
Alain Roger wrote: > I would like to implement a module access rights in my web application. > Basically after authentication and authorization. Logged user has a > particular profile which allow him to have access to some part of the web > application. > > after reading the security guide from *php*sec.org webpage, i'm confused > regarding how to store user login and password. > I mean the encrypted password stored in database is compared to encrypted > password that user type. > > But where to store login and password once user is logged ? > > when i read the security guide it seems that it is not secured enough to > store them in cookies or in sessions data... > both can be hacked... So what is the best solution ? > > i will use those stored data to check if logged user can have access to a > particular part of the web application. > > What is your point of view in such domain ? Ok, once the user has logged in there is no need to store the password. Simply store the username or other user details (but not the password) in the session - that's as secure as it's gonna get. *Never* store a password in a cookie. *Ever*. -Stut
That's right, never store a password in a cookie or session, maybe a little extra security could be added by locking the cookie to a IP address, but even more secure isn't possible. Tijnema --
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php