Table of Contents

Store user password in session

Presentation

Password is not a common attribute. Indeed, in most cases, it is not stored in clear text in the backend (LDAP or database).

So, to store user password in session, you cannot just export the password variable in session. To bypass this, LL::NG can keep the password given by the user during authentication phase.

  • Because this may be a security flaw, password stored in session is not activated by default
  • This mechanism can only work with authentication backends using a login/password form (LDAP, DBI, …)

Configuration

Go in Manager, General Parameters » Sessions » Store user password in session data and set to On.

Usage

User password is now available in $_password variable. For example, to send it in an header:

Auth-Password => $_password
For security reasons, the password is not shown in sessions explorer.