Am 29.11.2011 23:54, schrieb Tamara Temple:
As I read it, the OP may be confusing application user logins and the
credentials used by the application to access the data base.
Individual application users should *NOT* have access directly to the
data base by having their individual credentials in the db access
list. The application should have a unique set of credentials for
accessing the database, and the only way users can gain access to the
database should be through the application. Do NOT store data base
credentials anywhere in the session or in cookies, either, as that can
give people access to your database as well.
Actually the OP is trying to figure out, why it is a good thing to have
just one set of db credentials for the application instead of individual
credentials for every user.
The DBMS has a fine grained permission control system in place.
The issue about thuis is I need to keep the users dbuser and password in
a session or cookie because I need it for every connection to the DB.
On the other hand a common way seems to be to check the users
credentials and store just some kind of "LoggedIn = TRUE" and use the
credentials of the application for queries.
But this way I had to reinvent the access control system within the
application.
I'm rather leaning to the 1'st way with individual credentials because I
haven't seen convincing arguments against it, yet.
Right now we are talking about a web server that has just a very limited
set of local users that might get the idea to snoop in /tmp for session
files.
AFAIK according to default settings the garbage collection runs not very
ofthen on low frequented sites so stale session files could stay in /tmp
for months. That is not very comfortable, though.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
