On Tue, Sep 2, 2008 at 3:27 PM, k bah <kbah@xxxxxxxxxxxxx> wrote: > > Hi, > > I noticed session files are kept on /tmp for a while, and even if they > were immediately deleted, well, someone could use one of my php scripts to > inject code and read them, since they belong to the httpd user. > What's the best way to receive passwords thru a form and store them in the > $_SESSION while I process other information to decide whether or not that > user is able to proceed and login (check to see if user is also allowed to > use that service, not just validate user/pw)? I use https, always, no plain > http is used. > > Thanks > > = > > > -- > Powered by Outblaze > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > I personally would recommend you never store passwords in $_SESSION. I don't know how your auth code works, but the way I've always done it would be to process everything when you his submit, with the password being in $_POST or $_GET, then after you authenticate the user, drop it and don't store it with sessions. If you find you need it to be stored for other things, I'd suggest rethinking the design/checking you're doing. -- -Dan Joseph www.canishosting.com - Plans start @ $1.99/month. "Build a man a fire, and he will be warm for the rest of the day. Light a man on fire, and will be warm for the rest of his life."