Re: [GENERAL] passing variables in PHP3 - Mailing list pgsql-general
| From | Lincoln Yeoh |
|---|---|
| Subject | Re: [GENERAL] passing variables in PHP3 |
| Date | |
| Msg-id | 3.0.5.32.20000228113324.008c6c80@pop.mecomb.po.my Whole thread Raw |
| In response to | passing variables in PHP3 ("sheila bel" <sheilabel@hotmail.com>) |
| List | pgsql-general |
At 08:21 PM 27-02-2000 GMT, sheila bel wrote: >Hi, > >I've written an application for the web that asks users for their >id and password, checks the database and if they are legit >takes them to a page. Now I'm using the PHP_AUTH_USER variable >to identify the user and I need that information from one >file to another. How do I do that ? I tried storing it in a >variable and sending it along an with html anchor but that is >not a neat way of doing it since every time I need the value of >that variable the user has to click on an image and another problem >with that is the user id will show up in the url and I don't want >that security risk. >So my question is how do I store the value of PHP_AUTH_USER for >a specific user and access it from many PHP3 files ? OK, for proper security, just the username should not be enough, even for subsequent pages. For people can easily change the data they send to your application whether it is in a cookie or form field or url. There are a few ways to do this. 1) do a username and password check for EVERY page. 2) Do a username and password check on log in and create a session- random unguessable string and pass that around. The only good way I can see for doing 1) is to use the built in browser authentication thing- where a login dialog box pops up once, and after that the browser automatically sends the username+password for every page in that url domain. If you pass the username and password in a form, it is less secure - more chances for other people to find it. I do 2). My version is once a person hits any page without an existing valid session they are given a session, whether they are logged in or not. The session is inserted into the database, as a row in the session table. Once they log in successfully, the session is marked logged in, the userid and other miscellaneous stuff are also stored. When the user has a session and hits a page, the app looks up the session and can check if the session has timed out, if the user has logged in, and if so which user it is (and also can lookup permissions). Example table. CREATE TABLE SESSION ( SES_ID SERIAL, SES_STR VARCHAR(40) DEFAULT '', SES_UID INT4 DEFAULT 0, SES_LOGIN VARCHAR(16) DEFAULT '', SES_STAT CHAR DEFAULT 'N', SES_SDATE DATETIME, SES_ADATE DATETIME, SES_OPTIONS INT4 DEFAULT 0, SES_LIFESPAN TIMESPAN DEFAULT 900 ); ses_id is the primary key. ses_str stores a random string (sha1_hex of random stuff). ses_uid stores the userid. ses_login stores the username (optional- I'm having second thoughts about this). ses_stat stores the status. ses_sdate= start of session. ses_adate - when session was last active. ses_options - various options/preferences for the session. ses_lifespan - how long a session can be inactive before timing out. Of course it gets slightly inconvenient if we have more than 2 billion sessions, but <big grin>. The session is passed around in the following format ses_str.ses_id The reason I do this is for performance reasons, the app just grabs the ses_id and uses that for a very quick (hopefully) primary key look up to check ses_str. Currently I pass the session in the URL and as form post values, AND as a cookie. The cookie is a backup in case the URL session is destroyed for any reason, e.g. the user hits static html pages. The cookie vs url If there are faster and better ways of doing this do let me know. I'll be very happy to know of better ways! Would it really be better to use char instead of varchar for this? Is it significantly faster? I don't like dealing with padding tho. Dealing with padding may negate the speed gains. Cheerio, Link.
pgsql-general by date: