On Tue 29 Nov 2011 01:34:08 PM IST, Andreas wrote: > Hi, > > is threre a most advisble way to store db-passwords of an open > user-session? > As far as I get it, a common login strategy is to let the user login > by name&password, check it, store a login=TRUE as php-session variable > and later use a common dbuser+pw to query data provided "login" is TRUE. > > This way one wouldn't have to store the users pw or actually the user > wouldn't have a real db-account but rather an application account. > > Is this really better or equal than using real db-accounts? > > Should I rather store the db-credentials in a session or cookies? > > Session is vulnerable as any host-user could look into /tmp. > This would generally be a trusted few though. > > On the other hand cookies could be manipulated by the user or at least > be spied upon on the way between user and web-host everytime the > credentials are needed for a query. >
What exactly do you mean by db-account? I didn't understand your question, but this is what I do in my applications- When the user submits the login form, validate POST data (for mischevious stuff) and check if username & password query works out successfully. If it does, store a session variable login=true and let the user work on the private parts of the site. The cookie essentially, contains just the session id. I never use cookies to store data, only sessions. I also add ip and user-agent filtering to my auth systems. -- Nilesh Govindarajan http://nileshgr.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
