password in session

kccheng

Hi,

Is saving password in PHP session a good idea ? I think
this kind of question is quite common since I need password
everytime when I call mysql_connect().

Can I ask user input his/her password just once (eg in
login.php) and then totally forget password? If so, how
can I bypass mysql_connect() in other PHP scripts?

Thanks.

		Kuang-Chun Cheng
		kccheng@soliton.com.tw

Anon

You can always use cookies

[deleted]

Cookies? for storing passwords? eek!

Storing a password in a session is not a good idea, let alone storing the password in a cookie (that gets sent back and forth.

The most common way to use passwords is that
the user enters his password only once.
This password is checked against the database to see if the user entered the correct username/password combo.
If it is correct, and special variable in the session is set, so the next time the user requests a page, the session data will say "this user is logged in"

That means that the database does not have a unique database-login-password for each user. Instead, the database has one password, and wether or not the user can access the database is decided by the session variable.

A general note: You can ofcourse store the password in the session data, but you must make very sure that nobody exept you has access to the webserver.
If someone else can upload a php script, they can read all the session data, and get all the passwords.

Anon

I didn't mean that, I meant set a cookie if the pw is correct, verified against a db for example.

[deleted]

Ah, that's ok then.. I was getting worried :-)