Frank Stanovcak wrote: > "VamVan" <vamseevan@xxxxxxxxx> wrote in message > news:12eb8b030901141421u6741b943q396bc784136b7508@xxxxxxxxxxxxxxxxx > >> On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak >> <blindspotpro@xxxxxxxxxxx>wrote: >> >> >>> This is mostly to make sure I understand how sessions are handled >>> correctly. >>> As far as sessions are concerned the variable data is stored on the >>> server >>> (be it in memory or temp files), and never transmitted accross the net >>> unless output to the page? So this means I should be able to store the >>> username and password for a program in session vars for quick >>> validations, >>> and if I force rentry of the password for sensitive areas (every time) >>> even >>> if someone mannages to spoof the sesid all they will have access to is >>> non >>> sensitive areas? This also assumes I, at least, quick validate at the >>> start >>> of every page immideately after starting the session. >>> >>> >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >>> >> Password should never be stored anywhere in clear text. You can store md5 >> version in session or database. As long as password is encrypted ure fine >> and safe. >> >> Thanks, >> V >> >> > > Thanks V > So if I store the hash in the db, and in the session var then I should be > resonably safe provided I salt the hash prior to storing it? > > > > Yes, but don't use md5. There are lookups available to help someone crack it. Try sha1: http://us3.php.net/sha1 Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
