Nothing is safe unless it goes over SSL, and even then, NOTHING is 100% secure :)
The point is that you shouldn't have the plain text password as a session var... Your login form (and the script that varifies the login) should be secure (see note), and should establish a session var like "logged_in" NOT session vars like "password". This way, IF the session is hijacked, the hijacker can only hijack that session NOT find out what the user's password is. Note: The real issue you have is that the password can be seen in plain text when the login form is submitted... therefor, you need to be concerned about running the login process under SSL. Justin French on 10/03/03 7:36 PM, Shaun van den Berg ([EMAIL PROTECTED]) wrote: > Hi, > > Tell me , is sessions safe - why is it really used ? Is it important te > delete the session variables after u use it ? When a user logs on to my site > , he enters the password , i then encrypt the password and verify it with > the one in the database ! Will someone be able to hijack the session getting > the password before i encrypt it ? > > Thanks > Shaun > > -- > Novtel Consulting > Tel: +27 21 9822373 > Fax: +27 21 9815846 > Please visit our website: > www.novtel.co.za > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
