Hi guys,
I'm trying to create a small, publicly accessable database where security is
a concern since want some users to have administrative access and others not
to. The backend is MySQL 5.0.18 with PHP 5.1.2 on an Apache 2.0.55 server,
and I am curious as to how much my session code and my database should
interact to achieve a good balance of security and speed/overhead. I have
come up with several approaches:
1. Use sessions to send the username and password from the website to the
database, where the database will authenticate it and allow that user to log
in with pre-defined privaledges. Administrators could create database user
accounts.
2. Use sessions to store usernames and passwords completely in PHP, and then
have a single non-administrative account that the PHP would use to access
the database. A similar method would be used for administrative accounts as
well.
3. Store all session-related information in the database (might be faster
than using PHP to store the info?).
As I said before, i'm trying to implement a reasonable amount of security
without significantly impacting the overal speed of my system (frontend &
backend). Any advice?
-Sean
