suggestions for setting up authenticating users based on questions

Question

I am in the process of setting up a little module where if the user loggin in last logged in at a certain date then he has to answer 10 options questions before being authenticated. 10 questions will be options and multiple choice.

Wondering If i can get some advice in setting this up. I want to store the 10 questions and answers for each of them into the DB so if questions or answers are changed then code doesnt need to be changed.

I was thinking about having two tables Questions, Answers (one column will have correct answer for question) which will be joined by a pkey (is this the best table structure for this?)

my code (Java) will get each question and answers and store them into a Hash for each question (is this the best datastructure for this?)

then the view layer will have a outer loop which will loop over the questions and an inside loop which will loop over the answers for each question. Should I store the real answer as a hidden html variable? or go to the DB again when user clicks submit so that I can match the answers?

any suggestions would help.

Answer 1

Should I store the real answer as a hidden html variable?

Don't be daft. If you do that, you've just made it trivially easy for anyone to break.

As for the broader question(s) you need to clarify things considerably if you want useful advice. Are the choices going to be predetermined (by you) or given by the user? Are they going to be the same for all users? Why are you choosing to do this instead of (say) just a password? Aren't you also going to need to store which answers are correct for which users somewhere? What happens when the questions are changed? Etc.

Answer 2

my code will get each question and answers and store them into a Hash for each question (is this the best datastructure for this?)

Yes, hashing is a good approach. Simple hashing isn't all that strong so you should read up on this, you should probably add a salt.

Should I store the real answer as a hidden html variable? or go to the DB again when user clicks submit so that I can match the answers?

No. Hidden HTML is still visible if you view the source, so you'll be giving your answers away. The only way to do this is to do all the checking on the server side.