Security: Why is user password stored in session?

Chris Fordham chris at xhost.com.au
Sat Dec 2 23:50:11 CET 2006


User can modify server side PHP session?
How is that possible?
Can you provide me any links to read up on?

thanks in advance Brett!

On Sun, 03 Dec 2006 02:46:06 +1100, Brett Patterson <brett at bpatterson.net>  
wrote:

> Stefan Rompf wrote:
>> Am Samstag, 2. Dezember 2006 00:25 schrieb Chris Fordham:
>>
>>
>>> Does the user require cookies to use Roundcube, or would this add that
>>> requirement?
>>>
>>
>> Roundcube already uses (and IMHO requires) cookies, so this does not  
>> change anything.
>>
>> Stefan
>>
>>
>>
> Well, honestly Sessions can be changed by the user easily.  There are  
> extensions for Firefox that allow just people who are playing around to  
> modify their session.  This can either make or break the system.
>
> Cookies, while more difficult to modify, are still modifiable, as well  
> as easily visible.
>
> One thing that I would suggest is that IF you need to keep the password  
> in the session or in a cookie, the password and other vital information  
> is encrypted in some way, either with the mcrypt library or through a  
> user created encryption method.  This would be much safer so that if  
> someone did try to view the information, it would be encrypted.  Just my  
> suggestion(s).
>
> ~Brett
>
>



-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/




More information about the Dev mailing list