Hi guys, I'm trying to create a small, publicly accessable database where security is a concern since want some users to have administrative access and others not to. The backend is MySQL 5.0.18 with PHP 5.1.2 on an Apache 2.0.55 server, and I am curious as to how much my session code and my database should interact to achieve a good balance of security and speed/overhead. I have come up with several approaches: 1. Use sessions to send the username and password from the website to the database, where the database will authenticate it and allow that user to log in with pre-defined privaledges. Administrators could create database user accounts. 2. Use sessions to store usernames and passwords completely in PHP, and then have a single non-administrative account that the PHP would use to access the database. A similar method would be used for administrative accounts as well. 3. Store all session-related information in the database (might be faster than using PHP to store the info?). As I said before, i'm trying to implement a reasonable amount of security without significantly impacting the overal speed of my system (frontend & backend). Any advice? -Sean
