1

Possible Duplicate:
How to best store user information and user login and password

In our application, we have users from different companies. However, all users log in from the same page. Each company has its own database name and password.

When a user tries to log in, I check for his/her user name and password (salted, and sha-2 hashed). If the they are authorized, i need to connect them to their firm's database.

The firms database name and passwords is encoded and stored in table, should i check and decode database name and password every time when the user needs to access the firm's database. Are there any way to DEFINE firms database name and password (encoded) in config file or something ? What is the secure, modern and professional way for this?

Users table

  Users    pass  firm_id
  user1    123     3
  user2    344     2
  user4    435     3
  user5    535     2

firm table

  firm_id     firm         db_name    pass
    2        ACG co.       klf        123
    3        XYZ co.       tef        434
Community
  • 1
  • 1
aliaktas
  • 165
  • 10
  • 1
    i see no value in encoding their db name. what's the firm password for? does the mysql user have access to all dbs? –  Nov 20 '12 at 19:53
  • if some reason, the passwords have seen by somebody. they could not be accessed easily. The guy also need "key" to decode the password – aliaktas Nov 20 '12 at 19:56
  • in a somewhat similar situation i just use one mysql user for accessing all db's. The rest as 'standard' user\password, when they log in there db is set in a session and that used for all queries –  Nov 20 '12 at 19:58
  • AFAIK, there is no option to send an encrypted user credentials, for mysql authentication bot there is such option [in postgresql](http://www.postgresql.org/docs/8.2/static/auth-methods.html#AUTH-PASSWORD). Maybe you can use some of the keywords to google for alternative of this functionality in MySQL. – tereško Nov 20 '12 at 20:01
  • In fact, i look for if i can store firm/company database and password in somewhere rather than to check them every time the logged user need to access db. – aliaktas Nov 20 '12 at 20:07
  • 1
    I thought that it would be dangerous to keep database name and password in cache. even it is encoded and the key is needed to find out password. Once the database name ans passwords reveals, all information can be accessed. Even the user should not know the database password – aliaktas Nov 20 '12 at 20:14
  • sessions are stored serve side. –  Nov 20 '12 at 20:15
  • http://stackoverflow.com/questions/233867/is-a-session-id-generated-on-the-server-side-or-client-side ...AFAIK, session data generated at server side and also stored in client side – aliaktas Nov 20 '12 at 20:18
  • You use anything in particular for your data access layer? – dispake Nov 20 '12 at 20:45
  • I could not get the point clearly. However, i use PDO to access mysql db. Recently, i look for creating user specific config.php file outside of web root which may also keep the firm's database name and password. – aliaktas Nov 20 '12 at 20:53

0 Answers0