Geek Answers Handbook

Session Variable Management Methodologies

I have been reading triggers (mysql) in the last few days ... specifically, what I'm trying to do is find a good methodology for updating user information.

The use of this case is connected with the user management system: Take, for example, the admin user, updating the regular user to manager , this change of the user type will then enable|disable program functions on the interface.

Problem: You will not know about this type user change unless you query the database and reset, say, for example, the variable $_SESSION['user']['type'] and or user login from the system.

Question: Are there any good methodologies for solving this headache?

+8
php mysql triggers session session-variables
source share
8 answers

I don't think mysql triggers would be ideal for this . What for? Because you are likely to come across part of the logic in php and part in mysql. It is a good thing to stay with one technology, because it will be easier to maintain / debug code for you and your colleagues later.

So, in your case, if you want the user role change to take immediate action, you will either have to load the user role in each run or logout of the script using some flag in the database that signals that its session (or you can implement your own session_set_save_handler , which would save the session somewhere in a file where you could delete it to exit the system).

It depends on your needs, the solution of which is best suited to your business.

  • If your roles are logically complex and consists of several roles assigned to one user, as well as additional permissions / exceptions for each user, it might be better to do this to check once a user logs in , and then just remember the result using the session.
  • If checking permissions on every script run is not a problem , you can do this . But keep in mind that for security reasons it may be good practice to get the user to log in again.
  • If a user logging out can cause a loss of work , you must allow the user to log out and apply new permissions after the next login (you can show the user a message that new permissions are waiting for logging in).

So it really depends on your needs, to choose whether it is better to log out of the system, give it new permissions right away or wait for the next login.

+4
source share

Question: Are there any good methodologies for solving this headache?

Find good reasons not to do this!

Although this may sound like a joke, I'm absolutely serious. You must consider:

  • What is the value of this feature?
  • Is a headache worth the cost?
  • What are the risks of this function (incomplete work / system coordination)?
  • Do you need to change the system kernel?
  • Will you need to check the system?
  • Are other really great features expected (system improvements)?

Someone who doesn't like answering these questions really doesn't need this feature.

Find simple alternatives:

  • Call the user and ask to log out.
  • Notify user by email.
  • Provide a button for email notification.
  • Send an email notification automatically after changing permissions.

This is not laziness. Just focus on real value.

+2
source share

One alternative would be to execute ajax requests with a certain time interval, which will update the user $ _SESSION. If you have any changes to 'type' , you can do whatever you want, for example, force the user to re-enter your application or do nothing but update the $ _SESSION information. Of course, you need to know if you really need to get this information before the user logs out and logs in next time with an updated profile.

+1
source share

I think keeping your session cached like Redis will give you an added advantage. It is lighter than storing session data in a database. You can create clusters very easily. Click here for an example implementation.

So, as soon as the user "type" changes, you can load the redis cache and update it according to your desire.

+1
source share

I think the safest way to do this, and the one I would choose is a "headache" method.

  • 'regular' user Log in and open session A1.
  • User "admin" updates A to "manager".
  • Session A1 is currently a valid session, but it does not provide "manager" user privileges.
  • When user A logs out and logs in to session A2, this session will now give the user all the privileges of the "manager" by viewing the current "type" from the database.

An alternative that can be a little expensive depending on your application:

Each time a user submits a session token, use the database to verify that the session is valid. If this session has incorrect information (ie, the "Type" no longer matches), force the user to log in again.

Adding another alternative:

Do not use the MYSQL trigger when the caller (administrator) updates User A 'type', it also makes a call wherever you cache the sessions, and either (a) updates the session (not recommended)) or (b) invalidates the session and forces user login again.

* Please note that all these solutions require the user to re-enter their credentials after they have the new "manager" function before they can access the "manager file". I believe this is a safer practice than updating a session without any authentication.

0
source share

My recommended methodology would be to store the type each user in the database. The problems that arise if you decide to keep type as a session variable will be (among others):

  • As soon as the session ends, this information will be lost. Typically, sessions last 30 minutes, although you can change this as long as you want. However, if you create a session that lasts 1 month, then anyone who has access to this user's computer will be logged into the user account without the need to use any password .

  • You will not be able to use the powerful and advanced queries offered by databases (for example, MySQL, which uses SQL). If you store your information in sessions, you may find a way to search for 1-on-1 user information, but why reinvent the wheel? This is not an easy development of the database structure from scratch, so I would not recommend doing it.

As for your problems accessing the database after updating the information, I would not say that this information applies as soon as possible. Let's imagine the following examples:

one)

If the user is currently a manager and loads a website where he can do powerful actions, and immediately after that he drops to the level of a regular user, then the presence of this information in the database will work fine. If the user tries to use his credentials (this is not his), he will click a button that will send a request to the database to confirm its type . Database queries are very fast, so speed is not a problem. I would be more interested in the speed you need to get information from a session variable than from a database.

2)

If the user was on the page while he was a regular user, and on the page he became a manager , then he will be able to exercise his authority after updating the page. I mean, if you used sessions, and you wanted the page to automatically retrieve information using AJAX , and then update its settings on the page, which would consume much more server power than a simple update.

For a simple SELECT * FROM myTable WHERE id = 4 may take only 1 millisecond to execute in the database. Databases were specifically designed for their speed, so they prefer

HOWEVER , perhaps you do not have access to the database, and that is why you are looking for an alternative? Well, you're in luck! MySQLi is a database that uses only a file to store information. It was specifically designed for users who do not have many resources and has many features like MySQL.

0
source share

Since each user has a role or type , this means that the ability to view or edit content in your application is strongly associated with this factor. This means that the two main things your session variables should have are userID and userType , which you should also store in your database

These pieces of information can be passed to $_SESSION['user'] , for example, as a small array, where your array key can be a userID and userType value.

 $_SESSION['user']=array($userID => $userType);

After the user logs in, your initial values ​​are saved in session . So that your application userA that userA can view or edit in your application, you basically do a comparison in the script with userType that userA has. But in order to achieve what you want, you basically need to re-extract some of the information at the beginning of each VIEW/PAGE your application. If a new userType been assigned to userA , just show the message that he / she will automatically exit after 15 seconds (give time to read the message itself) for the changes to take effect. As long as your user sees this message, you take the current session data that he / she may have and save it in the database, as some session variables may or may not be available when updating or lowering the userType level. By placing a userType comparison at the beginning of each VIEW/PAGE your application, you save a headache that the user may lose.

0
source share

If your scripts use $_SESSION['user']['type'] to find out about the privileges of the user, I would just change its value. Or maybe I did not understand this problem?

-one
source share

More articles:


All Articles