Jump to content
  • Advertisement
Sign in to follow this  
Brainx7

How do you retrieve form values from a database according to session ID

This topic is 1429 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

So basically, I have a form that when the user finishes it, and clicks submit the information is stored in the database, so I'm trying to make it so , when they open the form, the information retrieved is their corresponding information and not the one from the last person who filled the form and stored in the database. A friend of mine try to explain to me that all I have to do is something like, assign the session id to the user filling the form and store that in the database and then retrieve based on that id? im not sure if that's right, im very new to this topic so I apologize if I sound retarded, ive made some research about it but I don't clearly understand the process of how to do this, if someone could help me id really appreciate it.

Share this post


Link to post
Share on other sites
Advertisement
When a user connects, check if they have a `session` cookie. If not, generate a new one. Set that cookie for the user. If the did already have a session, use that ID to load up their information from the DB. When information is saved to the DB, use the session ID to identify it.

Note that there are many, many gotchas here. There are many considerations to make for security purposes. You need to ensure the connection is encrypted before transmitting a cookie so it can't be snooped. You have to be careful with how hard-to-guess the cookies are for attackers. You have to watch out for XSS attacks, CSRF attacks, and so on. The security of any personal information like medical information, SSNs, CC info, etc. should never be remembered or retransmitted back to the user; they shouldn't even be stored in the DB (or anywhere else; use them for validation if you must then throw them away).

If you're doing this for a professional project of some kind (you indicated in another post this might be a government thing), use an existing well-tested and battle-hardened framework that takes care of sessions and such for you securely. Doing it yourself is not something a novice should do when people's personal information is on the line; a leak can easily ruin someone's life for many months or even years.

Share this post


Link to post
Share on other sites

So you have two main components: server and client.  Server stores data for all users.  If you have a million user, it stores the information for the million of them.  Client (in this case, the web browser) represents each user.  So if we have a million user, we can safely assume that there are one million web browsers have connected / are connecting to your server.

 

When a user logs in to your website, the server should typically generate a session id to indicate that user X has logged in.  You can attach any information to this session, such as time, ip address, expiration, etc.  If you are using an RDBMS, you would need another table that stores the sessions.  This Session Table would have a many-to-one relationship to the Users Table (i.e each user can have many sessions).

 

When the user logs in, you would want to store a session id in the user's web browsers cookie (e.g 'session_id': '2291afb321').  It's up to you what the scheme is, but it should be unique per instance of login, and It should be a random hex or UUID.  Do not make the session id incremental like 100001, 100002, or easy to guess.  When you make the request to load the form, your web app should try to read the session id from the cookie, and pass it to the server, server then checks the session id from the DB, grabs the corresponding user id (you'd do a join table here in SQL-speak), then grab the user info, then populates the form with the user info.

 

If session id does not exist in the web browser's cookie, it is assumed that user is logged out, in which case you shouldn't be displaying the form anyway, rather returning a 301 redirect back to the login page.

Edited by alnite

Share this post


Link to post
Share on other sites

When a user connects, check if they have a `session` cookie. If not, generate a new one. Set that cookie for the user. If the did already have a session, use that ID to load up their information from the DB. When information is saved to the DB, use the session ID to identify it.

Note that there are many, many gotchas here. There are many considerations to make for security purposes. You need to ensure the connection is encrypted before transmitting a cookie so it can't be snooped. You have to be careful with how hard-to-guess the cookies are for attackers. You have to watch out for XSS attacks, CSRF attacks, and so on. The security of any personal information like medical information, SSNs, CC info, etc. should never be remembered or retransmitted back to the user; they shouldn't even be stored in the DB (or anywhere else; use them for validation if you must then throw them away).

If you're doing this for a professional project of some kind (you indicated in another post this might be a government thing), use an existing well-tested and battle-hardened framework that takes care of sessions and such for you securely. Doing it yourself is not something a novice should do when people's personal information is on the line; a leak can easily ruin someone's life for many months or even years.

 

Not to mention that when you start dealing with sensitive data like this you usually start falling under various regulations (such as PCI compliance for credit card information) which means you need to have your code/database/protocols audited, which in theory pretty much requires you to use existing frameworks and infrastructure, because audits cost money and time and it looks bad for the company and especially for you if you fail them. So in a professional project it's best not to take chances with these things indeed.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!