how to use session ids for authentication purpose

Question

I am using just session variables $_SESSION['user_id'] and $_SESSION['passwd'] to store the id and password of user once when he logs in.

I am just checking these two variables with database each time the user moves to a new php page for authentication. Actually I didnt know about session_id() .

I dont think what i am doing for authentication is the right way. I feel that there is something to be done with session_id for security stuff.

and one more doubt- can these session variables be easily hacked when I use the session variables by the way i mentioned

What should I do?

Answer 1

An attacker cannot easily change or read your $_SESSION variables, as long as there is no other vulnerability present, but it is general bad practice to store a password any longer than necessary on the server for several reasons.

It is sufficient to check the password once when the user logs in. Afterwards you only need to store the authenticated user_id in the session. You have to know who the session belongs to, to grant the necessary permissions to this specific user. But you do already know that the user submitted the correct password, otherwise you wouldn't have stored his user_id in the session in the first place.