开发者

Setting logged in SESSION data - security?

开发者 https://www.devze.com 2023-01-17 02:52 出处：网络

I\'m wondering how secure the below code is: if ($username == $user-&开发者_如何学Pythongt;username && $password == $user->password) {

相关专题：authentication php security

I'm wondering how secure the below code is:

if ($username == $user-&开发者_如何学Pythongt;username && $password == $user->password) {  
    $_SESSION['loggedIn'] = true;
    $_SESSION['userId'] = $user->userId;
}

Basically, would there be any way for someone to fake the SESSION variable (besides actually stealing a users cookie)?

Seems fine to me. Just don't store the password or sensitive data in the session in case someone does steal the session id. I believe most of the security risks take place in getting the password to the server securely.

Also, you should store your password hashed at least. Making it (assuming $user->password is hashed using sha1) sha1($password) == $user->password