Store authentication level in session or repeat query for it?

screative

Which is the better practice?

Store authentication level in the session or repeat query for the value. I would rather store it in the session than keep hitting the db for the value, but how secure is that? Everything is over SSL.

screative

A followup question about database query load. If I did a query on the database every time a page loaded how much extra load will that put on the server? Is that a common practice among large sites?

Bjom

The question is: How is the design of you application? Do you "hit" the DB anyway perhaps, then the obvious choice is to store everything there anyway?

Are you aware that the alternative means hitting the server's filesystem (assuming that you use PHP's built in session handling), since the session data is stored in a textfile there?

Security wise the only difference is when someone gets access to the session files on the server. Then encrypting all data in it will provide extra security.

Bjom

screative

Thanks Bjom,

To this point I have created my application to limit the number of database queries as much as possible which is why storing the authentication level in the session is attractive. However, after thinking more about it I realized if I want to get granular with my site permissions on an item by item basis it would be best to do that with queries. Plus if I store the authentication information in the session it won't update immediately if the auth level changes in the database.

I'll go with the database queries.

Bjom

But how is the auth level changing in the DB? That won't happen by itself would it? You need to start a session on every page anyway for the logged-in functionality. Whenever you change auth level, you should even regenerate the session id with session_regenerate_id(true);

If you want to make the sessions completely use DB there is a way too...

screative

I was thinking of a case when I would change the auth level of a user who was currently logged in. The user's new rights would not take effect until the session expired. I'll check into session_regenerate_id.

Thanks!

Bill

Bjom

How about logging the user out, change the auth level and have him log back in again?