"VamVan" <vamseevan@xxxxxxxxx> wrote in message news:12eb8b030901141421u6741b943q396bc784136b7508@xxxxxxxxxxxxxxxxx > On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak > <blindspotpro@xxxxxxxxxxx>wrote: > >> This is mostly to make sure I understand how sessions are handled >> correctly. >> As far as sessions are concerned the variable data is stored on the >> server >> (be it in memory or temp files), and never transmitted accross the net >> unless output to the page? So this means I should be able to store the >> username and password for a program in session vars for quick >> validations, >> and if I force rentry of the password for sensitive areas (every time) >> even >> if someone mannages to spoof the sesid all they will have access to is >> non >> sensitive areas? This also assumes I, at least, quick validate at the >> start >> of every page immideately after starting the session. >> >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > Password should never be stored anywhere in clear text. You can store md5 > version in session or database. As long as password is encrypted ure fine > and safe. > > Thanks, > V > Thanks V So if I store the hash in the db, and in the session var then I should be resonably safe provided I salt the hash prior to storing it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php