Home/ Questions/Q 7072275
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T05:47:20+00:00

Would it be a security risk to set the user id and pass to

  • 0

Would it be a security risk to set the user id and pass to a session? If so how?
The session vars would be in an included file. I understand that this would not allow other users, but I only have one user to log in.

****CONFIG.PHP****
session_start();
$_SESSION['USER'] = 'USERNAME';
$_SESSION['PASS'] = 'PASSWORD';


****LOGIN.PHP****
include ('config.php');
IF ($_SESSION['USER'] == $_POST['USERNAME'] && 
$_SESSION['PASS'] == $_POST['PASSWORD']){
ALLOW ACCESS;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you’re using server-side sessions which can’t be modified by the end-user anyways, there is no reason to store the password there. It’s just another place the password exists on your server. Once you’ve validated the it is a valid user and the password is correct, you only really need to store their user ID in the session. There’s no way they can change it, so you can always trust that it’s actually their user ID.

    There’s always the risk of session hijacking, but that’s a different topic.

    As for your code, you’re misunderstanding sessions. You set those after you’ve validated the user input.

    ****CONFIG.PHP****
$username = 'USERNAME';
$password = 'PASSWORD';


****LOGIN.PHP****
include ('config.php');
IF ($username == $_POST['USERNAME'] && $password == $_POST['PASSWORD']){
    session_start();
    $_SESSION['username'] = $username;
}

    Then you can just test to see if $_SESSION['username'] is set. If it is, then you know you’re logged in.

    IF (isset($_SESSION['username'])){
    ALLOW ACCESS;
}
    • 0