Safe enough without storing md5 password in $ SESSION?

Forum Moderators: coopster

Message Too Old, No Replies

Safe enough without storing md5 password in $ SESSION?

rokec

8:48 am on Jul 17, 2007 (gmt 0)

On successfull login I write user's ID and password in MD5 hash to $_SESSION. On each page I check then if id and password match, then display page, else not (display login page).

I was thinking if it would be secure enough to store just ID (since it is unique)... Would it be?

eelixduppy

2:05 pm on Jul 23, 2007 (gmt 0)

I don't see a problem with it. It makes sense to store the ID as a string, though, because it is probably needed on other pages for db queries, etc, and a MD5 encryption cannot be reversed to get that info. If you are extremely worried about anything, you can use a two-way encryption that way when you need the ID you can decrypt in right there and use it - up to you.

PHP_Chimp

1:35 pm on Jul 24, 2007 (gmt 0)

md5 cant be reversed lmao
It takes about 15 mins to break through md5 hash (if you are into that sort of thing ;))...thats part of the reason for the sha1 hash being introduced.

eelixduppy

2:23 pm on Jul 24, 2007 (gmt 0)

>> It takes about 15 mins to break through md5 hash

unless you see a handy php function that is going to do it than php cannot reverse it by itself. this is what I meant. if you give an encryption to the right set of people im sure anything can be cracked...