Here's an idea I've been thinking about as far as implementing a very speedy uahentication. My main issue is that a user base will likely be on a different database (or server altogether) from the one with this application - so doing a constant "SELECT x FROM user WHERE userID=y;" on every page load is not really an option.
Now to the idea...
Cookie will be assembled like this:
- Whenever a user is browsing as a guest - there is no cookies, no sessions. Nada [img]images/smilies/smile.gif[/img].
- Whenever a user is logged in - there is one cookie always set (no cookie - not logged in).
An example one could be:
In case you're curios above the above hashes:
sha1('password') == 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
sha1('1Admin5baa61e4c9b93f3f0682250b6cf8331b7ee68fd812345salt') == 0bfc3e5677f7f7e7337cd32ab8782fcba9f1c8bb
12345 is just an example of an expiration value - it will be a unix timestamp formatted date within two weeks after the login (the time the cookie will stop authenticating someone)
On each page load, if the cookie is present and validates (fingerprint - I assume I can trust data if the fingerprint matches since the "salt" is secret). If a cookie is not found, or fingerprint doesn't validate I don't authenticate the user.
This works nicely effeciency wise as there is no session tracking at all, and no constant queries to get user information.
Now... the disadvantages:
-user is banned
The system in now ay can tell if someone is banned at any point OTHER then login, when they get the cookie in the first place; but this isn't a biggie for me since I'm not planning to ban users from my webSITE.
If a user logs in, doesn't log out, then changes the password on another computer, the first computer will still authenticate the user from the old cookie. Is it really a significant issue? I'm not sure. Part of the cookie is "expiration" value (unix timestamp), so even if a cookie like that is set - it will expire eventually (I'm planning to allow logins to be remember for only up to two weeks). Another measure I can do is ONLY verify the password on the first page load in a visit.
I'm not really placing anything particularly sensitive on the website, so this systems seems adequate to me.
If anyone can give impressions or critiques of this concept, I would greatly appreciate it. [img]images/smilies/smile.gif[/img] Perhaps, I'm missing some other disadvantages to this?