Checking for user authorization. Do I need to check with the data in the database with every gesture?

A

Anton Seredny2016-07-12 11:08:48

PHP

Anton Seredny, 2016-07-12 11:08:48

It is necessary to make an authorization system, quite simple, but still I would like to maintain security.
So I've read articles about this, including on the toaster, and now porridge is in my head. I'll try to ask the main questions:
1) What to store in sessions for the user? Session ID and hash?
2) On each page to make a request to the database and check the data? I have a small project, max 5 people online at the same time, but it's still strange to make a request every time I visit any page.
3) Maybe there are ready-made authorization systems that are easy to attach to your script?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

I

IceJOKER, 2016-07-12
@smidl

1. You can store anything in sessions, they are not visible to users, but it is still better to store a hash.
2. You can check if there is an authorization session, if so, you can discard the check. But still, it's better to make the logic so that on each page the database is requested for basic user data, so you will have user data and at the same time check whether the user is logged in or not. Most importantly, it all depends on the situation, on the project. For example, what if you delete user data from the database, and the user was previously authorized and there is information in the sessions that he is authorized. what then? Not in the database - in the sessions it is, before resetting sessions or closing the browser, the user will be able to break the logic in the database (add data from a "remote" user, etc.). I hope you understand..
3. Have you tried searching? I have never used and never met, but I am 99% sure that there are a lot of such scripts