Security: Why is user password stored in session?

Darrel O'Pry dopry at
Tue Dec 5 20:31:57 CET 2006

a quick FUD check here...

On Sat, 2006-12-02 at 10:46 -0500, Brett Patterson wrote:
> Well, honestly Sessions can be changed by the user easily.  There are 
> extensions for Firefox that allow just people who are playing around to 
> modify their session.  This can either make or break the system.

No, users cannot modify their php sessions. Through any tool browser
tool. The session itself is server side construct that is link to a
session id. The session id can be stored in a cookie or passed through
get variables. 

Session Hijacking can occur if you find out another users session id and
spoof either the PHPSESSID get variable or the cookie.

> Cookies, while more difficult to modify, are still modifiable, as well 
> as easily visible.

You should be more concerned about cookies than the php session. You can
also use salted cookies with the session id, but if someone is watching
the wire can has a valid session id, they can probably get the salted
cookie just as easily.

> One thing that I would suggest is that IF you need to keep the password 
> in the session or in a cookie, the password and other vital information 
> is encrypted in some way, either with the mcrypt library or through a 
> user created encryption method.  This would be much safer so that if 
> someone did try to view the information, it would be encrypted.  Just my 
> suggestion(s).

I think you're taking a sum 0 approach, a lot of effort for no real
results. If you are truly super paranoid you can start a DH request and
page signing session when the user logs in, and continue it for each
subsequent ajax request. The you would at least be able to guarantee the
identity of the end points per session. OpenID has also solved alot of
the problems around distributed authentication system and identity
verfication, the 2.0 draft  should be finalized soon.... It would be
cool to have an email service as an identity provider and uses imap as a
pwd backend.


More information about the Dev mailing list