Hey all,
I’m programming my first user interface with login and account management using PHP and I’m stuck on this issue. I’m just about to finish creating my method in creating new user accounts when a thought hit me about my design.
Here’s what happens. When the user attempts to log in, the program takes the string (haven’t filtered it yet) and checks to see if the user name and password provided is within the database using the user class I created. If the user is found in the database, the username is encrypted using an algorithm from another class, their credential levels are returned, and both values are stored with the user object on a $_SESSION variable. Another session variable is also created that mimics the value of the credential level stored within the object. Should either be unequal to each other, then the session was tampered.
Now on the user class definition (method list), there are methods that allow for the decode and encoding of the encrypted username; wich brings me to my question. Considering the user object is defined by this class which holds these methods to decode and encode the username, would this be considered a security risk? This class will be the same one used for logging in general users, too so I’m not sure…
To clarify, the password is stored as a md5 hash on the DB already. Maybe I am thinking about objects the wrong way, but within my created user object, I am able to do something like this:
Since Username is stored in user object and user name is encrypted,
$_SESSION[‘DAUSER’] = new user(username,password,blah,blah); $
$realuser = $_SESSION[‘DAUSER’]->getDecryptUserName()
My question is at getDecryptUserName() if having the method in the same class that is being used to create the user object is a security risk.