Ferreteria/sql/user session: Difference between revisions
< Ferreteria | sql
Jump to navigation
Jump to search
(adding ID_Cart field) |
(security note) |
||
| Line 11: | Line 11: | ||
* '''Fields''': | * '''Fields''': | ||
** '''WhenClosed''': if not NULL, then this session should not be reused (might be a different user returning to their cart, or might be the same user -- if no login, we have no way of telling, so take safest choice). If this session is accessed after the time of WhenExpires, code should manually set WhenClosed to NOW(). | ** '''WhenClosed''': if not NULL, then this session should not be reused (might be a different user returning to their cart, or might be the same user -- if no login, we have no way of telling, so take safest choice). If this session is accessed after the time of WhenExpires, code should manually set WhenClosed to NOW(). | ||
===Security=== | |||
I briefly toyed with the idea of only allowing the session to be set via http query within the secure area ''once'' and thereafter requiring it to come from a cookie, but anyone familiar with wget could spoof a cookie pretty easily, so this didn't seem worth the effort. | |||
The real security comes from requiring that client's fingerprint (browser + IP address) "match" before authorizing renewal of a session for that client. | |||
==SQL== | ==SQL== | ||
<section begin=sql /><mysql>DROP TABLE IF EXISTS `shop_session`; | <section begin=sql /><mysql>DROP TABLE IF EXISTS `shop_session`; | ||
Revision as of 02:01, 26 July 2009
About
- History:
- 2009-06-18 design started - first draft, not sure concept is right
- 2009-07-10 each session ties to a cart, not vice-versa; Token is now a random string
- Relations:
- Each Template:Vbzcart has one or more Template:Vbzcarts
- Each Template:Vbzcart has one or more Template:Vbzcarts
- Usage:
- For now, we will be treating each "client" as having its own session which never expires. Having a separate class for the session, though, lets us decouple these things later on if we want to.
- There should eventually be an "empty cart" button; if the user has not logged in, then that button should start a new session rather than clearing the cart for the current session.
- Fields:
- WhenClosed: if not NULL, then this session should not be reused (might be a different user returning to their cart, or might be the same user -- if no login, we have no way of telling, so take safest choice). If this session is accessed after the time of WhenExpires, code should manually set WhenClosed to NOW().
Security
I briefly toyed with the idea of only allowing the session to be set via http query within the secure area once and thereafter requiring it to come from a cookie, but anyone familiar with wget could spoof a cookie pretty easily, so this didn't seem worth the effort.
The real security comes from requiring that client's fingerprint (browser + IP address) "match" before authorizing renewal of a session for that client.
SQL
<section begin=sql /><mysql>DROP TABLE IF EXISTS `shop_session`; CREATE TABLE `shop_session` (
`ID` INT NOT NULL AUTO_INCREMENT, `ID_Client` INT NOT NULL COMMENT "shop_client.ID", `ID_Cart` INT DEFAULT NULL COMMENT "shop_cart.ID currently active for this session", `Token` VARCHAR(31) COMMENT "session identifier passed as cookie = random string", `WhenCreated` DATETIME COMMENT "when session was created", `WhenExpires` DATETIME COMMENT "when session was due to expire", `WhenClosed` DATETIME COMMENT "when the session was closed", PRIMARY KEY(`ID`), UNIQUE KEY(`Token`) ) ENGINE = MYISAM;</mysql>
<section end=sql />