check password in all restrict pages or just in login?

Question

I have a user session in my website. In login page I do:

//mysqli select

if (password_verify($password, $hash)) {
    $_SESSION["user"] = $user;
}

so every page I just check: if(!isset($_SESSION["user"])){die();}

my friend told me that I should record in a session, on login, the password too, like this:

if (password_verify($password, $hash)) {
    $_SESSION["user"] = $user;
    $_SESSION["pass"] = $pass; //$pass that user type in login
}

and in each page do a select in mysql again with session user and pass do check if login is valid or not.

So my question is, do I need to check password in mysql each page or can I do it just once in login?

Answer 1

If you are using Session to login then there is no need to verify the password in all the pages as Session variables are only editable by your program, on the other hand if you were using Cookies to save user and password then you might need to check on all pages as users can change Cookies.

But if you use Session variables and incase you delete the user from your Admin Panel or Lock his account access, and if user was logged in before he will have continued access. So you must also put some check that whether the Username and Password saved in the session is still valid or not.

Answer 2

It does not make any sense.

1. You get Password from Login form
2. You check it's correct or not
3. If correct you allow for other pages

Now, if you store same password in session at the time of login, You will get Passwords match at every page because passwords is in Session and will be same till session will get expire, and on session expire user should go to login page only.

This may affect performance.