On Tue 29 Nov 2011 01:34:08 PM IST, Andreas wrote:
> Hi,
> is threre a most advisble way to store db-passwords of an open
> user-session?
> As far as I get it, a common login strategy is to let the user login
> by name&password, check it, store a login=TRUE as php-session variable
> and later use a common dbuser+pw to query data provided "login" is TRUE.
> This way one wouldn't have to store the users pw or actually the user
> wouldn't have a real db-account but rather an application account.
> Is this really better or equal than using real db-accounts?
> Should I rather store the db-credentials in a session or cookies?
> Session is vulnerable as any host-user could look into /tmp.
> This would generally be a trusted few though.
> On the other hand cookies could be manipulated by the user or at least
> be spied upon on the way between user and web-host everytime the
> credentials are needed for a query.

What exactly do you mean by db-account?
I didn't understand your question, but this is what I do in my 
applications- When the user submits the login form, validate POST data 
(for mischevious stuff) and check if username & password query works 
out successfully. If it does, store a session variable login=true and 
let the user work on the private parts of the site.
The cookie essentially, contains just the session id. I never use 
cookies to store data, only sessions.
I also add ip and user-agent filtering to my auth systems.

Nilesh Govindarajan

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to