New to php Sessions here. My stored user data is pretty minor and not very sensitive but of course I still want a secure site. I have stored their password hash in my db with salt.
Do I need to validate a user on every page of my site using their password, or is that overkill? In other words, if they have successfully “logged in” and I have stored their username in a php session is that good enough for them to roam around, with the site knowing who they are?
I ask because it seems like storing a users password in a session is probably not the best idea. Is that true?
You don’t need to authenticate on every request, but you do need to authorize on every request.
Authentication is where you validate the user’s username / password against the database. Once they have successfully authenticated, you only need to store their user ID (or username) in the session.
On every subsequent request, check to make sure that the current session is authorized to view the requested content. In your case, you probably just need to make sure that there is a valid user ID in the session… you don’t have to do anything with the database.
You may use a function similar to the following to authorize on every request:
You can make this even more secure by managing your own session data in a database, and then you don’t have to place much faith in cookies, which can be traded/stolen/etc by (malicious) users. But that’s usually overkill for most web apps.