[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] User authentication in web app

Subject: [ale] User authentication in web app
From: cleon42 at yahoo.com (Adam Levenstein)
Date: Tue Mar 16 11:56:26 2004
In-reply-to: <1079446379.21367.30.camel@devel>

Storing the password, or any authentication level, in a cookie is a Bad
Idea. Cookies are easy to duplicate.

A good way to handle sessions is to authenticate once against the user
table, and create a server-side session handler (usually a lengthy
unique identifying string) and associate the authentication level with
*that*, on the server (or DB). Then time out the session if there's no
activity for x minutes.

I also want to echo what someone else said about not doing encryption
on the DB side; try to be conscious of load. The less load on your DB,
the more easily scalable your app. You may want to consider spreading
your app out into a web layer, appserver layer (where much of the
business logic lives), and database layer. If you evenly distribute the
app, you'll have an easier time taking increasing load.

Adam

References:
- [ale] User authentication in web app
  - From: cfowler at outpostsentinel.com (Chris Fowler)

Prev by Date: [ale] Adaptec 2940UW bios updates
Next by Date: [ale] Linux Show
Previous by thread: [ale] User authentication in web app
Next by thread: [ale] Re: [ajug-members]: User authentication in web app
Index(es):
- Date
- Thread