Why password is stored in session ?
I just purchased this product and immediately found one thing which draw my attention
1. In Admin/user_LogIn.php , I found the following
if((((isset($_POST["userName"]) && $_POST["userName"]==$WAGLOBAL_Admin_UserName)?$_POST["userName"]:"") != "")) {
$_SESSION["AdminLogin"] = "".((isset($_POST["Password"]))?$_POST["Password"]:"") ."";
}
Why the Admin Password ( which is very critical ) need to be stored in session ? This is something indeed very unusual in Web development where security is a concern. Storing passwords in cookie or session is a very poor coding standard and possess a great security hole.
Can any body explain why this is done ? Or am I missing something ?
Also once I login after a successful reigstration, when I access the login page through browser, the default behaviour should be ( Since I already logged in ) to display me the success page url or something like that. But instead I again see I am prompted for login. This is also not an expected behaviour of an website from user's prospective.
Care to explain ?