CodeIgniter Forums

Full Version: setting custom session variables
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

El Forum

[eluser]mistress_shiira[/eluser]
hi guys!
i just want your comments on this.i have a callback function on my validation that checks for the username and password.i tried to set the logged_in field to 1 on successful validation before directing it to another page.
i tried to do this:
Code:
$this->session->set_userdata('logged_in',1);
but when i look at my ci_sessions table,the logged_in field remained 0.

is session the correct way for me to do this or not?
basically,i dont want the users to be able to access other pages if they are not logged in.

thanks!

El Forum

[eluser]gtech[/eluser]
I have used the session for the same purpose and it works well. The session does time out (which is a good thing)

does this bit of code work (you should get a 1 displayed on the page)?
Code:
$this->session->set_userdata('logged_in',1);
print_r($this->session->userdata('logged_in'));

El Forum

[eluser]Michael Wales[/eluser]
Using the default sessions library - only the standard session data is saved to the database. Custom session is still save to the cookie - even if you configure it to use the database.

El Forum

[eluser]mistress_shiira[/eluser]
@gtech: yes i tried that and got 1 on the page as output but then
when i verify it on my database,the value does not change.

El Forum

[eluser]WolfgangA[/eluser]
I just wonder wether:

- Storing the userid (encrypted) in a cookie should be considered an security issue?
And if so:
- Wether it would make sense to extend the Session lib to support storing the user_id in the db?

Regards

Wolfgang

El Forum

[eluser]theswede[/eluser]
*bump*

Is it standard praxis to store variables such as 'is_logged_in' using the session lib? Does CI in any way prevent tampering of those cookies?

El Forum

[eluser]WolfgangA[/eluser]
You can use a session lib, that does store sessiondata (except the session_id of cause) in a database on the serverside.
You can also encrypt session data.

El Forum

[eluser]theswede[/eluser]
So it is dangerous to store sessions in this way?

El Forum

[eluser]tonanbarbarian[/eluser]
Technically if your session processing is just storing information the cookie it could be considered dangerous
But how often do you find a situation where someone has actually modified their cookie data?
The average visitor to your site would have NO CLUE how to modify the cookie data.

That said I prefer to put NOTHING in the cookie that is not needed. So if I can I will use a session library (like db_session) that stores all of the data on the server somewhere (in the case of db_session in the database) thus ensuring that the user cannot change any data except via the interface given in the website.

If all you are storing in the session is their choice of favorite colour or something innocent like that dont worry, but if you are storing anything to do with user authentication and validation it should not be in the cookie.
For authenticated sessions only a unique session id should be in the cookie.

Just my opinion

El Forum

[eluser]theswede[/eluser]
[quote author="tonanbarbarian" date="1199784497"]Technically if your session processing is just storing information the cookie it could be considered dangerous
But how often do you find a situation where someone has actually modified their cookie data?
The average visitor to your site would have NO CLUE how to modify the cookie data.

That said I prefer to put NOTHING in the cookie that is not needed. So if I can I will use a session library (like db_session) that stores all of the data on the server somewhere (in the case of db_session in the database) thus ensuring that the user cannot change any data except via the interface given in the website.

If all you are storing in the session is their choice of favorite colour or something innocent like that dont worry, but if you are storing anything to do with user authentication and validation it should not be in the cookie.
For authenticated sessions only a unique session id should be in the cookie.

Just my opinion[/quote]

Thank you, that is exactly what I wanted to know Smile
Pages: 1 2