Jump to content
Larry Ullman's Book Forums

User Object With Pass Attribute Stored In Session


Recommended Posts

In Chapter 9 (CMS with OOP), the user class is defined with six protected attributes, including email and pass. A few pages later in the login script, a user object is created and then stored in a session:

 

'SELECT id, userType, username, email FROM users WHERE email=:email AND pass=SHA1(:pass)';

// The results are fetched into $user using PDO:FETCH_CLASS

 

Then $user is stored in a Session:

if($user) { $_SESSION['user'] = $user; // followed by a redirect and exit

}

 

I realize that the way it is written, only id, userType, username, and email are retrieved from the database and are the ONLY results passed to the $user object. I'm wondering, however, why you would include a $pass attribute in the $user class if you plan on storing that object in a session. Is this safe? What if somewhere along the line, the $pass attribute is used and set in the object?

 

I'm guessing that ALL of the attributes of the class are stored in $_SESSION['user'] as serialized data, and even though they are 'protected' in the class, the password would be stored in the session with whatever value it is set to in the $pass attribute. If I were to keep the $pass attribute in the class, I would make sure that $this->pass is run through whatever security hash I have in place for my application.

 

So the question is: If I am going to be storing user objects in a session, do I get rid of the protected $pass attribute from the user class completely? Or is it safe to keep it there as long as it gets hashed (or maybe even reset to NULL after login)?

 

Thanks again!

Link to comment
Share on other sites

The pass attribute exists in the User class because users have passwords and the class is a representation of the user type. It's perfectly safe, and the proper way to design the class.

 

And, yes, all of the object attributes would be stored in the session. And, yes, it would be less secure to store the user's password in the session. But as you can see in that code, the user's password is not being retrieved and therefore not being stored in the object or the session.

 

So while this is something you should be aware of, the code as written is appropriate.

 

If you had a situation where the object IS storing the password (say after registration and the user doesn't have to login), then you should set the password value to NULL before storing it in a session.

  • Upvote 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...