Access Control System Lookup
I'm working on a project with an authentication system that i'm looking to clean up. The short story of this project is a lack of consistency regarding authentication. I have a table of users and a table of profiles with associated permissions. I'm looking at going two routes:
Option 1: Query the database on every page to check to see if the user has permission, then allow or deny them
Option 2: Query the database when they login and store all the permissions in the $_SESSION array. Currently the system uses this method.
I've done some reading, and i've heard arguments on both sides. Can anyone offer some additional insight? The one thing I am considering right now is that in the process of revising authentication, there will be a lot more individual permissions added, which would make the array considerably large. Would there be any noticeable performance issues with going either route?
One possible alternative is to have an optional parameter for "important" pages that looks at the last login time (which you'd track in the session data), and if it's more than some arbitrary number of minutes (hours, seconds?) old, then it requires the user to login again (and typically also generates a new session ID). This way you can require a "fresh" login for operations that modify data or that reveal sensitive data, while being more lenient about general view-only actions.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)