Keeping plaintext passwords anywhere in any capacity is usually a bad idea. Sessions are safe as such, but only as safe as the rest of your server environment. Administrators or other users both legitimate and nefarious may have access to data stored on it. You never want to handle the secretsof your customers if you can avoid it; that also means you want to avoid seeing the user's password under any circumstances and you should build your code in a way that the plaintext password is as short lived as technically possible.

以任何身份将明文密码保存在任何地方通常是一个坏主意。会话本身是安全的，但仅与服务器环境的其余部分一样安全。管理员或其他合法用户和恶意用户可能有权访问存储在其上的数据。如果可以避免，您永远不想处理客户的秘密；这也意味着您希望在任何情况下都避免看到用户的密码，并且您应该以在技术上尽可能短的纯文本密码的方式构建您的代码。

If you need to use the password for something during a session, you should architect your app so it never uses the plaintext password, but use a key derivation functionto derive a key from the passwordwhich you then use for your sensitive tasks. This way there's a lot less chance to expose the user's password. Remember, the only security the user has is the secrecyof his password that only he is supposed to know.

如果您需要在会话过程中使用的东西的密码，你应该构建您的应用程序，所以它绝不会使用明文密码，而是使用一个密钥导出函数，以获得从密码的关键，你再使用你的敏感的任务。这样一来，暴露用户密码的机会就少了很多。请记住，用户拥有的唯一安全性是只有他应该知道的密码的保密性。

If doing so and when hackers get access to your server, they will see the passwords in plain text. Never store plain text passwords (wherever)

如果这样做并且当黑客访问您的服务器时，他们将看到纯文本的密码。永远不要存储纯文本密码（无论在哪里）

About the general question. You ask the user once for the password and verify the crypted password against a crypted password stored - let's say in a database. If they are the same then you start a new session. When the user next tries to access your site, you'll check if a session for this user exists. So there is no need to store the password in the session.

关于一般问题。您向用户询问一次密码并根据存储的加密密码验证加密密码 - 假设在数据库中。如果它们相同，则您开始一个新会话。当用户下次尝试访问您的站点时，您将检查该用户的会话是否存在。所以不需要在会话中存储密码。

Never store any kind of sensitive data anywhere except the database you should generally avoid using MD5and SHAfamily directly.

从来没有存储任何类型的，除非你一般应该避免使用数据库中的敏感数据的任何地方MD5和SHA家庭直接。

Then Whats the Solution ?

那么解决方案是什么？

If you are implementing Authentication system then compare then Client information (generally username and password) then create a special token and then save it to session or cookie.

如果您正在实施身份验证系统，然后比较客户端信息（通常是用户名和密码），然后创建一个特殊的令牌，然后将其保存到会话或 cookie。

Example

例子

if ($username == 'someuser' AND $password == 'somepassword_hash'){
    $token = md5(uniqid());
    // database query with along with user_id and token
    $_SESSION['_token'] = $token;
}

Comparing token

比较令牌

functon varifyToken($token){

    // database query here
    // SELECT user_id FROM sessions WHERE token = 'token_here'
}

Never store passwords in plaintext. Aside from that: yes, sessions are safe. Sessions are stored on the server. The session data itself is never sent to the browser.

永远不要以明文形式存储密码。除此之外：是的，会话是安全的。会话存储在服务器上。会话数据本身永远不会发送到浏览器。

Whether it is wiseor even necessaryto store a password in a session, probably not. Maybe for caching reasons but even then it's flakey.

在会话中存储密码是否明智甚至有必要，可能不是。也许是出于缓存的原因，但即便如此，它仍然很糟糕。