On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak <blindspotpro@xxxxxxxxxxx>wrote: > This is mostly to make sure I understand how sessions are handled > correctly. > As far as sessions are concerned the variable data is stored on the server > (be it in memory or temp files), and never transmitted accross the net > unless output to the page? So this means I should be able to store the > username and password for a program in session vars for quick validations, > and if I force rentry of the password for sensitive areas (every time) even > if someone mannages to spoof the sesid all they will have access to is non > sensitive areas? This also assumes I, at least, quick validate at the > start > of every page immideately after starting the session. > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Password should never be stored anywhere in clear text. You can store md5 version in session or database. As long as password is encrypted ure fine and safe. Thanks, V
