How to set up my login system?

I'm trying to figure out if it is better to store my user's data in a session cookie (like password, username, etc), and update that cookie only when I change the MYSQL database from my PHP,

OR

Store the user's username and user ID in a session cookie and reach out to the MYSQL database every time I need to get the user's data.

Which one is the better method..? I've never actually set up a login system so any advice would be much appreciated.

Answers


A session and a cookie aren't the same. A session simply stores its session ID in a cookie (client-side) and all the session data on the server. I presume you really meant session where you used the word 'cookie'.

Moving ahead to answer your actual question, it's perfectly fine and safe to store most user details in the session. You should never need to store the password in a session though, since you use it only for authentication. Apart from that, it's ideal to cache frequently used user data (things that you may display on every page) in your session to save trips to the DB.

The concern that Chris mentioned - changes to user data - is almost non-existent, because user data will (should) not be modified by anyone except the user himself, in which case you can update the session along with the DB.


Good question. I've kept the user data in the PHP session. Since that's all server side it should be safe to do so, and avoids an extra database lookup.

The downside is that you won't automatically pick-up changes to the database that happen during that session... but user data isn't normally so dynamic that I'd care.


You shouldn't store a password in a cookie. I would store the details in the DB and use memcached to reduce the load on the DB.


Need Your Help

#1064 SQL Syntax error

mysql sql

I understand this is a common and annoying problem so before I ask for an explanation I just want to say sorry.