Sheldon,

Do you really need to store the password?

In our environment we have an LDAP server that all users are in, so we use that for authentication. We then store only their user profile in a session variable. We use a generic profile/password from a config file for database access.

Glenn

On 9/21/2011 2:45 PM, Sheldon Foster wrote:
I would sure appreciate some advice.



I've been programming in rpg for a few years and have some exposure to php,
but am still in the learning process. I am trying to get a feel for what
the best practices are for getting login information from a user and then
maintaining that throughout the application.



These are the questions I have:

1) Is there a preferred method for validating a username/password
combination? I know of the following ways but am not sure of their
pros/cons (other than in both cases a user could accidentally/purposefully
disable another user's login):

a. Simply testing a connection using the user/pwd that was passed
using POST (filtering it first of course for any injections, etc.).

b. Using the rpg api QSYGETPH (get profile handle), check if a profile
handle is returned and if so then authentication is successful.

2) Is storing the username/password as session variables sufficient
(especially if they are encrypted)?

a. I know there is a php function called mcrypt. Would it be
sufficient to use this function alone to encrypt these variables?

b. Someone here on midrange.com suggested using the Zend framework to
extend the Zend_Session_Namespace in conjunction with mcrypt to accomplish
this. My problem with this method is that we aren't really using the
framework at this point (we may in the future), but I am wondering what this
method has over a simple use of the mcrypt function alone.

3) Searching online, some have recommend storing the user credentials
in a database file instead of session variables. What are the pros/cons of
this compared to using session variables?



Thanks for your time and expertise!



Sheldon





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.