[ale] User authentication in web app

Adam Levenstein cleon42 at yahoo.com
Tue Mar 16 11:56:26 EST 2004


Storing the password, or any authentication level, in a cookie is a Bad
Idea. Cookies are easy to duplicate.

A good way to handle sessions is to authenticate once against the user
table, and create a server-side session handler (usually a lengthy
unique identifying string) and associate the authentication level with
*that*, on the server (or DB). Then time out the session if there's no
activity for x minutes.

I also want to echo what someone else said about not doing encryption
on the DB side; try to be conscious of load. The less load on your DB,
the more easily scalable your app. You may want to consider spreading
your app out into a web layer, appserver layer (where much of the
business logic lives), and database layer. If you evenly distribute the
app, you'll have an easier time taking increasing load.

Adam



More information about the Ale mailing list