is threre a most advisble way to store db-passwords of an open user-session?
As far as I get it, a common login strategy is to let the user login by
name&password, check it, store a login=TRUE as php-session variable and
later use a common dbuser+pw to query data provided "login" is TRUE.
This way one wouldn't have to store the users pw or actually the user
wouldn't have a real db-account but rather an application account.
Is this really better or equal than using real db-accounts?
Should I rather store the db-credentials in a session or cookies?
Session is vulnerable as any host-user could look into /tmp.
This would generally be a trusted few though.
On the other hand cookies could be manipulated by the user or at least
be spied upon on the way between user and web-host everytime the
credentials are needed for a query.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php