Topic: Store password in the session?
I'm working on a web app that has a login system. On the page that allows you to edit your account information, I have both a password field and a password confirmation field; obviously, filling these in should allow the user to change his password.
As a security measure, I'd like to force the user to fill in the password confirmation field each time he changes any piece of his account information, not only when he's updating his password. The password field (not the password confirmation, just the normal password field) should be pre-populated (as a form password field) with the user's current password when the "My Account" page loads. This way, the user changes both fields to change his password, and only the confirmation field if he's just trying to edit some other setting related to his account.
I'm using restful_authentication as the login system. The non-hashed password is not stored in the database; only the hashed one is. This makes sense to me -- even folks with admin database access should not have access to the user's non-hashed password. The question, then, is this: how do I pre-populate the password field on the "My Account" page?
What I've done is store the user's non-hashed password in the session when he logs in. That way, when he visits the "My Account" page, the session can be used to prepopulate the password field.
Are there security implications to this approach? Is it unwise to store a user's non-hashed password in the session? If it is unwise, can someone recommend another approach to solving this problem?
Thank for your time.