Re: User registration/authentication

[sergey@total-knowledge.com]

> 1) In order to open the connection we need login and password. When you
> get
> a connection from the pool you must provide both for login. This operation
> is pretty quick, so performance isn't an issue here.
>

You do provide login/password for login() proc. You get them using
sessionid parameter inside of login(), not from parameters.
Anyways, I think the only way is to pass login/password to login() is to
save them in HttpSession, I don't think it's very secure though. What's
your opinion on that?


> 2) For not logged-in users, we can create default user with empty password
> that you can use for such users.
>

Understood.

> 2007/4/3, sergey@total-knowledge.com <sergey@total-knowledge.com>:
>>
>> I have a trouble dealing with authentication functionality the way it's
>> defined now, so I'm asking for your guys opinions.
>>
>> In order to get connection from the pool I need to perform an
>> authentication inside of UuDbPool::getConnection().
>> In order to do that I need to pass login, password, server and sessionid
>> to the getConnection().
>> I cannot get those parameters from DB b/c connection will be opened only
>> after authentication in the pool. So where do I get them?
>> sessionid is no problem, I get it from HttpSession.
>> I can save login, password, server in HttpSession object after
>> successful
>> login/registration, but I don't think it's a good idea. If I save userid
>> in session, then I need a DB connection to get login, password, server
>> from DB, but the connection is not available for reason I explained
>> above.
>> If I use sessionid as the key parameter to get user credentials(which is
>> the best way since I won't need to save anything in HttpSession), then
>> we
>> need sessionid in regular(not temporary) table in DB, but still need the
>> connection before calling getConnection(). But in this case, if we
>> change
>> login() stored procedure to get only sessionid as the parameter, we
>> won't
>> need a connection to DB before calling getConnection().
>> Imho it's ok to have sessionid as the only parameter to login(). The
>> authentication will be done at login time, sessionid will be saved in DB
>> for this user, then login() will check if user exist using sessionid the
>> same way as it's done now using login parameter. session_info table
>> can't
>> have more than one record anyways.
>>
>> Another question about not-logged-in users. The way things defined now,
>> not-logged-in users can never get a connection to DB.
>> Per specs we are going to have some pages available for those kind of
>> users, I'm sure we'll still need to get data from DB for those pages,
>> for
>> example in left navigation bar or in Repository. How are we going to
>> deal
>> with that?
>>
>>
>>
>>
>>
>>
>
>
> --
> Alexey Parshin,
> http://www.sptk.net
>