Re: [PHP] Encrypt Password for Session
Troy Moreland wrote:
If I can't decrypt it, then I can't pass that password for the
user. How do I keep passing the password then w/o having to write it to the
session. Is that the right way to do it??
I don't know if this is the right way but what I would do is have a
login page that does the md5 databse lookup, if it is successful writes
the users name to a variable to the current session, maybe $verified_user
Now every page tests for $verified_user you will know if they have
logged in correctly, This approach seems to work very well for me, I
don't know if there are any major security holes though?
example:
if ( isset($verified_user) ) {
$user = $verified_user;
} else {
$user = nobody;
}
Hope this helps, it is pretty simple really.
Regards
Joseph
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Encrypt Password for Session
look in the manual for md5 ~kurth On Thu, 17 May 2001, Troy Moreland wrote: All, I am currently using sessions to store a user's ID, password and current login status. All works fine. The only issue is that the session file on the server is storing the password in plain text. How do I encrypt that password and how to I decrypt it for comparing? Thanks in advance!! Troy Moreland -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Encrypt Password for Session
What I do is md5() encrypt the password and store it in the text file or database. Md5 is a one way algorithm, though, so you can never decrpyt the password. What you do, is when you want to authenticate a user, you md5 encrypt the text they typed in and compare that to the md5 hash in your file or database or wherever. If they match, you let them in. Ethan Schroeder - Original Message - From: Troy Moreland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 17, 2001 10:41 AM Subject: [PHP] Encrypt Password for Session All, I am currently using sessions to store a user's ID, password and current login status. All works fine. The only issue is that the session file on the server is storing the password in plain text. How do I encrypt that password and how to I decrypt it for comparing? Thanks in advance!! Troy Moreland -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Encrypt Password for Session
I fully understand what you are saying. The problem is that I'm storing their password so that they don't have to re-enter it on each new page visited. If I can't decrypt it, then I can't pass that password for the user. How do I keep passing the password then w/o having to write it to the session. Is that the right way to do it?? Thanks again! Troy Moreland Ethan Schroeder [EMAIL PROTECTED] wrote in message 012f01c0deeb$684950d0$e46c28ce@biff">news:012f01c0deeb$684950d0$e46c28ce@biff... What I do is md5() encrypt the password and store it in the text file or database. Md5 is a one way algorithm, though, so you can never decrpyt the password. What you do, is when you want to authenticate a user, you md5 encrypt the text they typed in and compare that to the md5 hash in your file or database or wherever. If they match, you let them in. Ethan Schroeder - Original Message - From: Troy Moreland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 17, 2001 10:41 AM Subject: [PHP] Encrypt Password for Session All, I am currently using sessions to store a user's ID, password and current login status. All works fine. The only issue is that the session file on the server is storing the password in plain text. How do I encrypt that password and how to I decrypt it for comparing? Thanks in advance!! Troy Moreland -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Encrypt Password for Session
At 12:05 PM 5/17/01 -0500, Troy Moreland wrote: I fully understand what you are saying. The problem is that I'm storing their password so that they don't have to re-enter it on each new page visited. If I can't decrypt it, then I can't pass that password for the user. How do I keep passing the password then w/o having to write it to the session. Is that the right way to do it?? What I do, is pass a cookie. On the login page, I give them a cookie. When they input a correct UN/PW, then I store the cookie. When the go on to the user pages, I take the cookie, give them a new cookie, and compare the old cookie to the DB cookie. If it's a match, then I store the new cookie to the db. The cookie is a 13 digit base 36 number, generated randomly. -- Dave's Engineering Page: http://www.dvanhorn.org Where's dave? http://www.findu.com/cgi-bin/find.cgi?kc6ete-9 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
