Good day. Situation - there is a user's personal account, access to the personal account is organized after authorization through the session. Whether it is necessary to check the data from the session with the data in the database for this user on each page of the personal account (for example, I compare the hash of the login and password) or is it enough to check for the existence of some key variables from the session and not to make requests?
|
2 answers
Usually, a session is the one that is activated for each unique session of the user with the server. Authorization takes place once, and with a successful login / password check, the user ID is recorded in the session variable instead of the default guest. And further, at each transition from one page to another, the server reads this very identifier from the session variable, and does something in connection with this. For example, they will check the ability of this user to access certain pages.
In some cases, for security, the client IP of the last call to the server is written to the session. That at the following check to have an opportunity to find out its change and to reset authorization. For example, in case if by hook or by crook the session cook went to the side.
KiTE KiTE
7,780 15 silver marks 27 bronze marks
|
Check Session, it is unique and can only be read by the server.
Maksym Prus Maksym Prus
2,829 9 silver marks 19 bronze marks
- in the sense of checking the existence of a session at all? About this speech? - juniorspecialistphp
- during authorization, for example, write the user ID in the database in $ _SESSION ['id']. And then check everywhere $ _SESSION ['id'] - Maksym Prus
|