Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>use <a href="http://php.net/manual/en/features.sessions.php" rel="nofollow noreferrer">Sessions</a>. Store the session id in the cookie, and store the state of the user on the server side (loggedIn, userId, IP). </p> <p>To clarify what you need to store in the session array:</p> <ul> <li><strong>loggedIn:</strong> A boolean variable about whether the user is logged in or not. You reuse the same cookie for multiple sessions, so you remember the users username next time they come to your site, etc. </li> <li><strong>userId:</strong> The uniqe id of the user in the database. Use this to get more information on the user, like username, email etc. This too can be kept in the session array after the user logs out.</li> <li><strong>IP:</strong> To prevent someone from stealing the session id and using it, you store the IP of the user as well. This is optional, as sometimes you want to allow the user to roam (eg, stackoverflow allows me to move about with my laptop without logging me out when the IP changes).</li> <li><strong>lastPing:</strong> The timestamp the user was last seen. This can be used instead of the cookie expiration date. If you also store the <strong>lifetime</strong> of the session, then you can log the user out due to inactivity. This means that the session id cookie can be stored on the users computer for a very long time. </li> </ul> <p>When the user logs out or is logged out due to inactivity, you simply set <code>loggedIn</code> to false. When the user logs in with the right username and password you set <code>loggedIn</code> to true and update the other fields (userId, IP, lifetime). When the user loads a page, you check the <code>lastPing</code> against the current time and the <code>lifetime</code>, and either update <code>lastPing</code> or logout the user.</p> <p>The session data can either be stored in the filesystem or in a database. If stored in a database, then userId is either a foreign key to the user record, or all the data can be put in the user record.</p> <h2>Hashing</h2> <p>rehashing a value several times is not a good idea, because you <a href="https://stackoverflow.com/questions/1225528/double-hashing-security">reduce the security</a>. Instead use salt, combining a static salt (name of the page for example) and the username of the user, together with the password. A hash that takes a long time isn't better than a fast hash, a hash that results in a large digest is better than a hash that results in a short digest (due to brute force). Using SHA1 should be good enough for a normal site (IE, not a bank or a secret military organization). </p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload