1

Here is an idea I've got to store no plain text password in both session and SQL (even if needed in post). Can you tell me what you do think about this way to proceed ?

//The password entered by user in plain text
$password = $_POST['password'];

//Get data
$req = $db -> prepare('SELECT * FROM users WHERE uid = ?');
$req -> execute(array($_POST['uid']));
$data = $req -> fetch();

//Verifying password
if(password_verify($password, $data['hashed_password']))
{
     $_SESSION['rehash'] = password_hash($data['hashed_password'], PASSWORD_DEFAUT);
     $_SESSION['uid'] = $_POST['uid'];
}

//When checking credentials on other pages of the website:
if(password_verify($data['hashed_password'], $_SESSION['rehash'])
{
     //Private things here
}

I've seen a lot of topics on the same type of subject, and even if I don't think so, if this is a duplicate, feel free to close this topic.

Tom Vautray
  • 11
  • 2
  • Since Sessions are stored serverside; I'm not qutie sure what the purpose of this is. If a session is set, that's because I've allowed it to be set. Usually I set the userid in the session. – IsThisJavascript Oct 22 '19 at 08:46
  • 1
    @IsThisJavascript and topicstarter, information which can identify a user like id's and (re)hashes is not right to store in PHP sessions as these are not safe in default configuration far from safe...i once wrote this [answer](https://stackoverflow.com/a/18263063/2548147) how $_SESSION can be attacked – Raymond Nijland Oct 22 '19 at 08:55
  • Interesting read. Thanks for educating – IsThisJavascript Oct 22 '19 at 08:57
  • I don't understand why do you need that rehash? It seems completely unnecessary. – Dharman Oct 22 '19 at 09:20
  • It avoids me to store a plain text password in session or sql db, witch are both unsecured and stealable. If someone steals my hash/rehash, it's okay because I could change the stored hash after a relog for example, so it would make it harder to hack someone. – Tom Vautray Oct 22 '19 at 09:24

0 Answers0