Is it secure to store a password in a session? [duplicate]

by

Keeping plaintext passwords anywhere in any capacity is usually a bad idea. Sessions are safe as such, but only as safe as the rest of your server environment. Administrators or other users both legitimate and nefarious may have access to data stored on it. You never want to handle the secrets of your customers if you can avoid it; that also means you want to avoid seeing the user’s password under any circumstances and you should build your code in a way that the plaintext password is as short lived as technically possible.

If you need to use the password for something during a session, you should architect your app so it never uses the plaintext password, but use a key derivation function to derive a key from the password which you then use for your sensitive tasks. This way there’s a lot less chance to expose the user’s password. Remember, the only security the user has is the secrecy of his password that only he is supposed to know.

More Related Contents:

  1. How do you Encrypt and Decrypt a PHP String?
  2. PHP Session Fixation / Hijacking
  3. Simplest two-way encryption using PHP
  4. “Keep Me Logged In” – the best approach
  5. How to encrypt/decrypt data in php?
  6. Two-way encryption: I need to store passwords that can be retrieved
  7. How to properly add cross-site request forgery (CSRF) token using PHP
  8. Preventing session hijacking
  9. Login without HTTPS, how to secure?
  10. What do I need to store in the php session when user logged in?
  11. Session hijacking and PHP
  12. Secure and Flexible Cross-Domain Sessions
  13. What encryption algorithm is best for encrypting cookies?
  14. Proper session hijacking prevention in PHP
  15. Parse error: syntax error, unexpected T_STRING in C:\wamp\www\b_php\project\login_save.php on line 14 [closed]
  16. How can I store my users’ passwords safely?
  17. How to create a secure mysql prepared statement in php?
  18. How to use store and use session variables across pages?
  19. Is possible to keep session even after the browser is closed?
  20. When and why I should use session_regenerate_id()?
  21. How to get rid of eval-base64_decode like PHP virus files?
  22. Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
  23. Cookies vs. sessions in PHP
  24. How can I determine a file’s true extension/type programmatically?
  25. How to properly handle session and access token with Facebook PHP SDK 3.0?
  26. PHP Session ID changing on every request
  27. How to keep a PHP session active even if the browser is closed?
  28. Set httpOnly and secure on PHPSESSID cookie in PHP
  29. Json: PHP to JavaScript safe or not?
  30. saving checkbox state on reload

Leave a Comment