This is not detrimental for standard OCI8 connections since the database connection is destroyed at the end of the HTTP request and the identifier value is cleared as a result.
PHP OCI8 does not clear the client identifier at the end of an HTTP request since the overhead of a round-trip to clear the value would impact scalability of every application. In practice a separation of responsibilities would be preferred. Oci_set_client_identifier($conn, $auth->getIdentity()->USERNAME) At its most basic, the client identifier could be the web user's name stored in PHP's session data by a previous authentication request: It does not cover PHP authentication or session handling best practices.Ĭlient identifiers should be set with oci_set_client_identifier() after connecting but before executing any statements or OCI8 calls on behalf of the web user. This article gives advice on when to set client identifiers, and on how using them helps development and management of web sites.
#Website auditor password code#
The overall nature of stateless web applications that utilize shared database connections means application code integrity is a very important part of ensuring data security. Setting client identifiers in the application also requires care to ensure consistency of use. Implementing application level authentication and passing PHP session information need careful design to ensure security. Once the application's own authentication system decides a particular web user is OK, then a unique token is passed back and forth in HTTP responses and requests so that the web user doesn't have to re-authenticate each time a new web page is loaded. Monitor and trace applications per web userĮach PHP file in a typical Oracle PHP application calls oci_connect() with an identical database user name.Automatically apply rules to individual web users to restrict data access.Provide an audit trail on individual web users.If two different people 'Chris' and 'Alison' are using the site, these two user names can be set as their respective client identifiers and be passed into the database.īy associating a unique client identifier with each web user Oracle Database can: For example, every page in a web site might physically connect to the database as the same database user PHPUSER. This "client identifier" can be used by Oracle Database to distinguish between individual web application users who all connect to the database using one common set of database credentials. The OCI8 extension for the PHP language lets applications set a small string identifier token on each database connection. Learn to use Oracle Database's "client identifier" feature in your PHP applications.
0 kommentar(er)
