SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2003
    Location
    Spain
    Posts
    65
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP Login Sessions Against DB

    Good Evening,

    Just a question regarding sessions and how users are authenticated. There are many threads covering the coding etc, this is more of a logic/theory question.

    I have my database that stores user ID and salted password. Once logged in and verified various details are stored into the session including user ID and a hashed 'pass token', these are stored in cookies too for 'remember me'.

    On each page check for a valid session, if not found check if cookies are set (and in this case validate), else not logged in.

    However if a valid session is found would you validate this against the database for every page load? Are there any drawbacks to this method and and security holes in not verifying against the DB? i have seen opinions that seem to sway on either side of this arguement.

  2. #2
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you find a valid session, general practice says that you assume the user has already validated and you don't validate against the database again. Only when picking up "remember me" cookie(s) or logging in a user who was not logged in already do you check against the database.

    There is no point in verifying the session against the DB - how would you do it? If you store the username and password in the session, well you a) are not gaining anything in terms of securing the session because those values remain on the server, and thus it's akin to asking the database "is 1 equal to 1?" on every page load, and b) doing so puts your users at risk if you are in a shared hosting environment because everyone who has an account on that server (i.e. other people hosted on that physical box) can read all your session data.

    Google "session hijacking" to learn about the security risks when you don't verify. You'll also find (if you dig deep enough) that there is no practical method for completely preventing session hijacking without putting undue strain on your server and/or causing undue nuisance to your users. Search this forum as well for countless discussions on the topic.
    PHP questions? RTFM
    MySQL questions? RTFM

  3. #3
    SitePoint Evangelist
    Join Date
    Sep 2004
    Location
    Oregon
    Posts
    445
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I personally confirm/validate against he database on every page load. Usually I would just simply confirm the pass token, or some sort of session token.

    Confirmnig all data, would be a waste of resourses.

  4. #4
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What exactly are you validating against the database? If you're validating session variables, then you're wasting resources. If you're validating the session ID, then you're wasting resources (unless you are using database-driven sessions instead of PHP's default filesystem-based sessions). If you're validating other cookie values, you're again wasting resources (although this point is arguable).
    PHP questions? RTFM
    MySQL questions? RTFM


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •