Simple PHP question

[espfutbol98]

I've been working on all this encryption, hashing, and salting but I just noticed that the password is in a $_SESSION in plaintext. Just how safe is this? Should I use some AES-256 so I can retrieve the data or is it fine the way it is?

 

[garrettroyce]

Other than inside your own script, $_SESSION is only viewable by someone who has access to /tmp/ on the server, aka, just the admins. It should be quite safe.

 

[espfutbol98]

Thank for the quick response. I thought is was something like that but just making sure because what use is the use of all the encryption if $_SESSION worked like a cookie?

 

[garrettroyce]

It's definitely a good way to think

There is a cookie saved to the user's computer, but it contains no session information, just the session ID.

You can create your own session handler class if you need the utmost security, but it will require a lot of time and programming.

 

[espfutbol98]

All I have is time right now and my utmost interest is security so I'll look into it. Thanks.