Welcome Guest, Not a member yet? Register   Sign In
Storing Encrypted Password in Session variables
#11

[eluser]Mark van der Walle[/eluser]
Was looking at the topic start and didnt see anything about logging (or im blind Wink). He just uses the password in his where clause. In my opinion you should not use the password in update queries but a userid (which should be unique). In your controller you should check if the user is allowed to do this.
#12

[eluser]xwero[/eluser]
Maybe logging is the wrong word, identifying is better i guess. If you look at the updateUserInfo method he uses the session variables. In addition there is the question about security of the session variables. This are the two things i based my replies on. If i misread it that's my fault Smile

In your method i don't see how the user is identified. In my eyes it reads someone is logged in so he can do more. Or do i misread that too?

I agree with you no password in the session but if you haven't unique ids there are other ways to identify someone without the users password as a session variable. I suggested a few solutions for that.
#13

[eluser]Mark van der Walle[/eluser]
Was not pointing any blame just trying to help the topic starter. Also you should always have a way to identify your users. An autoincrent works quite nicely. You could when logging in also set this ID in the session. That way you have two things:
* A way to check if someone is logged in and thus allowing certain actions
* A way to identify that user with his ID. You can use this ID in all queries where crud actions on the user record is done.
#14

[eluser]ufasoli[/eluser]
Thank you all for your usefull answers, I think I'm going to implement the encrypted userid, or the field with the 'fake id'.




Theme © iAndrew 2016 - Forum software by © MyBB