Splitting sign-up form over several pages

stubarny1

Hello everyone,

I’m looking to increase my website’s sign up rate by splitting the rather long sign-up form into 3 short forms spread over 3 pages – the user would then fills out each form and progresses to the next (like the linkedin.com sign up process).

Please could you tell me how I should store the variables as my users move from one form to the next, whilst avoiding any hacking vulnerabilities? – I thought of using session variables but someone told me to never store passwords in a session variable? (one of the form fields is for a user to fill in a password).

Thanks for any help you can give!

Stu

bradgrafelman

stubarny1 wrote:
omeone told me to never store passwords in a session variable?

Did the person elaborate any further (e.g. alternatives or at the very least why he/she said that)?

Sessions store their data on the server. Where on the server (or even in what form - e.g. files, DB, etc.) is determined entirely by how PHP is configured. By default, PHP stores its sessions in plain text files in the server's temporary directory (e.g. /tmp), which is often readable/writable for all users. Thus several security holes could be created when using sessions to store sensitive information.

However, if you care about security at all, then you surely wouldn't be using a shared hosting environment or anything of that nature, so this risk is mitigated to a certain extent (i.e. an attacker would have to compromise the security of the server itself and gain access to it... at that point, you're looking at a full format and re-install anyway).

Another layer of security would be to encrypt the passwords stored in the session. Do you ever need to know what their password is (e.g. decrypt it)? Most often, the answer is no, in which case you could simply store a hash (e.g. SHA1 or any other one-way encryption/hashing algorithm) of their password instead.

EDIT: Forgot to mention... even if you share a private box with other legitimate users, you could still add security from those users by moving your session files inside of your home directory (where they hopefully don't have read or write access).