StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POusing mysql to track sessions instead of trusting the server?
primarykey
Id
9541871
data
AcceptedAnswerId
0
AnswerCount
3
ClosedDate
CommentCount
1
CommunityOwnedDate
CreationDate
2012-03-02T23:35:35.730
FavoriteCount
0
LastActivityDate
2012-03-02T23:47:07.710
LastEditDate
LastEditorUserId
0
OwnerUserId
1246117
ParentId
0
PostTypeId
1
Score
1
ViewCount
208
LastEditorDisplayName
text
Body
Some context...skip to the bottom for question if you are impatient... I am trying to limit access to four pages on my (future) website to users with a valid username and password pair. To this end, I have a simple PHP/HTML form...in my PHP/HTML form the client types in a username and password, hits 'submit'...the data goes to POST and another PHP script validates the user/passwd pair by using a SELECT in my mySQL database... userpassword table: uid (PRIMARY KEY,INT), username (varchar 32), password (char 128) If the match works then it looks up the access table to see what page that particular username has access to (1 for access, 0 for no access): useraccess table: uid (PRIMARY KEY,INT), securename0(TINYINT), securepage1(TINYINT)... The PHP script then prints out links to the secure pages they have access to. If I understand them correctly, the articles and books I have read state that you normally store a cookie on the client side with a session ID that points to a session file on server that stores the username/password pair and whatever other session variables until it either times out or the user logs out. I don't want to spend the money for a dedicated server. So all that PHP session info is saved all lumped together on the server, along with the other half dozen websites from other customers running on it. This strikes me as horribly insecure... The question is...would it be any more secure to circumvent all that and store/track the per-user session information in my own mySQL table? ie. something like this: session table: sessionkey (PRIMARYKEY, CHAR(128)), uid(INT), expiretimedate(DATETIME), accesstosecurepage0 (TINYINT), accesstosecurepage1(TINYINT)... So when a user hits any "secure" page it would check their session id cookie (if present) and then do a SELECT on the session table to see if that particular "sessionkey" is present, then give them access depending on what accesstosecurepage0,1,2,etc. are set to. Would this work better than the alternative or am I wasting my time?
Tags
<php><mysql>
Title
using mysql to track sessions instead of trusting the server?
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USTimothy John Laird
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POusing mysql to track sessions instead of trusting the server?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COHm, that's not the only reason why shared hosting is not very "secure". In many cases the servers are not properly secured against privilege escalation or unauthorized file access (like reading database configuration files from other customers). Maybe a VServer is an option if you don't want to spend a lot of money? In Germany, those can be had for a few euros a month.
 singulars
 PostPostId
 POusing mysql to track sessions instead of trusting the server?
 UserUserId
 USNiklas B.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.