IndynewToPhp Posted February 14, 2009 Share Posted February 14, 2009 Hi, I've been searching on google for how to implement sessions for user authentication. I've seen two methods. note I know a bit about how sessions work but I do wonder this: One type of example shows using sessions to store both the username, and the users password. Each time a secure page is requested it then takes those session variables and checks the database to see if it's a valid combo each and every time. This seems a bit insecure to me in that you are storing user password on the server...right? Also, it's accessing the database needlessly...right? The other type, and the one that makes sense to me is that the username and password is checked against the database ONCE and if found to be valid a session variable is set to indicate that...for example $_SESSION["access"] = "granted"; and then that session variable is checked on every secure page. Thus the database is only accessed once. Is one method better than the other? If so, why? Thanks! Quote Link to comment Share on other sites More sharing options...
sellfisch Posted February 15, 2009 Share Posted February 15, 2009 I prefer the secound one, because it doesn't take so much db querys (in the first solution you send a query for every page) Quote Link to comment Share on other sites More sharing options...
jackpf Posted February 26, 2009 Share Posted February 26, 2009 The only problem is if someone decides to edit their session cookies after they've been "granted". They might be able to change their sessions to someone elses. There's loads of info about session hijacking on google. Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 1, 2009 Share Posted March 1, 2009 But so long as you do not bear the session variable to the user then the session variables should be safe. But if you are on a shared host then you need to store your sessions in a secure folder, or on the database, which will result in the high number of inquires. To prevent Hijacking you will need to use extra means of user validation. Like using a coded cookie or two and user browser integrity. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.