Home/ Questions/Q 6057063
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T08:26:48+00:00

I would like some clarification on what are some best practices for secure web

  • 0

I would like some clarification on what are some best practices for secure web login and, further, persistent login for a PHP application that is authenticating against Active Directory.

  1. At login, does it make sense to implement a Post-Redirect-Get model? Storing the password in $_SESSION probably isn’t a good idea.

  2. After authentication, is checking if a specific $_SESSION field is set a valid and secure way to check if a user is logged in?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It is NOT a good idea to store the password in plain text at any point in time.

    1) I do not recommend the PRG model for a login page. The worst thing that could happen is that the person is logged in twice. That’s not so bad.

    Data stored in $_SESSION can typically not be read by the client. They ARE stored on the server where a malicious employee or hacker might get access to them.

    2) After authentication it is ok to check the session to see if someone is logged in. Someone may spoof someone else’s session id but the chance of that is minimal as long as you are running SSL. I recommend storing the IP, user agent, and other information you can get easily in the $_SERVER variable and comparing it either on occasion or every time. To reduce the chance that someone has hacked the other person’s session id.

    Regenerating a session id on login doesn’t make a lot of sense to me, although I don’t know your particular scenario. My suggestion is to simply regenerate it on log out. Also, you can add a time out feature to the session if you like.

    • 0