Reputation: 324
database or sessions ? where to store tokens
tokens are great tool to prevent csrf attack
for every request made by user , your system must generate a unique token and store it somewhere
the next time the client ask to perform some actions , the system verify if the token exist , and if it still valid
if we store tokens in sessions , then sessions will become too large , an this will cost a lot of memory as the CPU load the entire sessions in ram when responding to a request , and with a CPU of 1Gb for example , and 1000 users with 1 sessions of 1Mb each , the CPU will not handle anything , this could be a typical ddos attack ( to request more and more tokens knowing they are stored in sessions)
in the other side storing tokens in database have his own weakness ,
which method do you use to store tokens ?
Upvotes: 0
Views: 1174
Answers (1)
Reputation: 1086
Use sessions, 1MB per session is pretty high IMO. Since PHP's Session handler can be switched to use a different back end, you have the flexibility of storing them on disk / memcached / mysql down the road.
Upvotes: 2
Related Questions
- Where to store information using php - Best Practice
- What is better, generating a CSRF Token per form request or having a Session Key that is stored in the DB?
- Token authentication - where to store the token
- Store sessions in same or separate database from app?
- Using Sessions vs Tokens for API authentication
- What's the standard method to store Facebook's access tokens? Database or cookie?
- Where do i store username and userid? sessions or cookie?
- Remember-Me-cookie - where to store token
- PHP, which is the better way between storing data into session and database?
- What are the best practices for storing PHP session data in a database?