I have read on stackoverflow the following:
never store the users password or even a hash of the password in session or cookie data.
I’m in the middle of making a system to check for a constant password, if it’s different from one saved in a session, then force a logout; something like facebook does? When you change your password, or a password has been changed, you get logged out.
My code follows below:
function ConstantPassword($Password)
{
if ($_SESSION['Password'] !== $Password)
{
include "Logout.php";
}
}
But, If it’s said not to store passwords in a session/cookie? What could be another workaround for this?
You can do the check once, and then store a
$_SESSION['logged_in'] = TRUEvariable. On logging out, youunset($_SESSION['logged_in'])it andsession_destroy()the session. No need to put the password nor the salt in the session.Also, you should not implement passwords on your own but instead, use this: https://github.com/ircmaxell/password_compat It’s the library that’s going to be in PHP 5.5.