Hello,
I've been looking for an simple robust and secure login.
I've seen some and read about many.
I've a short question about security itself.
Not direkt about CI only.
Assumptions:
- Sessions are stored only on the server
- The Session-ID ist stored on the client in a cookey (js cookies disabled)
- With https the whole communication is secure
- With session regenearation (best every call) the session id changes with each call, makes it hard to capture a session
- I can store the Agent-String and the User-IP in the session and compare them each call.
- I can store a timeout value in the session. I the next call is past this time I remove the session
- Anything I've forget?
- Why should a DB with session information should enhance security?
Each Session is a file on the webserver