is threre a most advisble way to store db-passwords of an open user-session?
As far as I get it, a common login strategy is to let the user login by name&password, check it, store a login=TRUE as php-session variable and later use a common dbuser+pw to query data provided "login" is TRUE.

This way one wouldn't have to store the users pw or actually the user wouldn't have a real db-account but rather an application account.

Is this really better or equal than using real db-accounts?

Should I rather store the db-credentials in a session or cookies?

Session is vulnerable as any host-user could look into /tmp.
This would generally be a trusted few though.

On the other hand cookies could be manipulated by the user or at least be spied upon on the way between user and web-host everytime the credentials are needed for a query.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to