Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <blockquote> <p>I use hash_hmac (md5) function with user’s ip address, password and cookie expiration date and noone can decode my encripted cookies code</p> </blockquote> <p>Are you simply signing the cookie data with an HMAC? It sounds like it. All an HMAC does is prove that a message has not been tampered with. Further, the IP address restriction is going to severely irritate users behind certain proxy servers. </p> <p>Because the HMAC is just a <em>signature</em>, the cookie data can still be read and is entirely unencrypted, unless you have done so separately. If you have placed any data in that cookie that would permit a third party monitoring the connection access to the site as your user (such as, say, a simple un-salted hash of the user's password), then the HMAC is utterly useless.</p> <p>If you want to put confidential information in a cookie, you should be using <em>real</em> encryption here, not <em>just</em> signing the data. (Read: Do both.)</p> <p>If you are unable to perform actual encryption of the data, and the data is so risky that it <em>has</em> to be protected from prying eyes, then you shouldn't be sending it in a cookie. <em>Or your entire site should be served over SSL</em>. Or both.</p> <p>But let's get to the meat of the issue:</p> <p>If you're trying to simply identify if the current user is logged in, then sessions are a <em>fantastic</em> choice. It's hard to make them <em>not</em> work. </p> <p>If you're trying to make a user login persist longer than the length of a session, then cookies are pretty much the most effective tool. However, you don't need to (read: should not) store any interesting information in the cookie. You can simply store a hash of some random data and identify it in the database as belonging to the specified user. Here is where your browser/IP restrictions can come into play. When the user isn't <em>currently</em> logged in, then check the cookie. If it's still valid, set their session data and regenerate the cookie with a new hash, invalidating the old one.</p> <p>Be sure to set it up so the same user can be logged in to different machines without logging the others out. That's annoying as hell.</p> <p>As for why Wordpress <s><em>allegedly</em></s> eschews sessions... well, Wordpress isn't the paragon of good design, and has made some huge compromises in the name of working pretty much anywhere. Shared hosting is hell.</p>
    singulars
    1. This table or related slice is empty.
    1. POphp using sessions or cookies for user authorization
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USCharles
    1. USCharles
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POphp using sessions or cookies for user authorization
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COwordpress doesn't use sessions because on a shared host, its possible for other users to access your session files; hacking your users could be as simple as getting an account on the same server. The way they do it is easily much safer in a shared environment
      singulars
      1. PO
      1. USErik
    2. CO@Erik, that's a good point. That said, I just wonder why they didn't choose db-backed sessions.
      singulars
      1. PO
      1. USCharles
    3. COThanks for your answer @Charles. My cookies are like that: USER_ID|TIMESTAMP_FOR_EXPIRING_DATE|HASH. And while I create HASH data, I use hash_hmac function like this: hash_hmac('md5', USER_ID*TIMESTAMP_FOR_EXPIRING_DATE*BROWSER_INFORMATION*USER_PASS, SECRET_KEY (this key is defined in php file)). While I approve user's login, I check HASH. If HASH code is true, I check USER_ID information and admit the login. I think my cookies are safe but there is one issue for using ony cookies: I couldn't do don't remind me feature, because I have to select a certain date.
      singulars
      1. PO
      1. USburak emre
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload