CodeIgniter Forums

Full Version: my auth is secure?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
i need a simple user login system for my first ci app. i have created some models and ... to login user, in login controller , i save username and user id is session :

Code:
$CI->session->set_userdata('username' , $user->get_username());
$CI->session->set_userdata('userid' , $user->get_id());
and logout :
Code:
function user_logout($redirect_uri = NULL){
    $CI = get_instance();
    $CI->session->unset_userdata('username');
    $CI->session->unset_userdata('userid');
    if($redirect_uri){
        redirect($redirect_uri);
    }


and when i need to know user is loged in, i check session for username and id,

and when i need user's info like email , roles ,... i create new object of user_model and load from database using userid (in session)

i set session encrypt and set crypt key in config and saving md5(password) in DB,

can you tell me this is right way for simple (but secure) login system?
Hello,
Your way is quiet good Smile and for your logout think to destroy all session user ($this->session->sess_destroy();, see the documentation please) and destro the cookie too.
Try to prefer, $this->session->userdata(..) instead of $ci->session->userdata(..). That avoid you to create again an instance of $CI.
You can put in your session a data like 'logged' ($this->session->set_userdata('logged') = TRUE for example when is connected and put this at FALSE if is logout).
Put the time of end session in the config.php as you like for your application (10, 20 , 60 minutes and convert it in seconds).
Use session table in dataabse or files to store session. You can try to document you about cache file or token.
Have a good day.
(04-07-2015, 12:35 AM)nasser.man Wrote: [ -> ]i need a simple user login system for my first ci app. i have created some models and ... to login user, in login controller , i save username and user id is session :


Code:
$CI->session->set_userdata('username' , $user->get_username());
$CI->session->set_userdata('userid' , $user->get_id());
and logout :

Code:
function user_logout($redirect_uri = NULL){
   $CI = get_instance();
   $CI->session->unset_userdata('username');
   $CI->session->unset_userdata('userid');
   if($redirect_uri){
       redirect($redirect_uri);
   }


and when i need to know user is loged in, i check session for username and id,

and when i need user's info like email , roles ,... i create new object of user_model and load from database using userid (in session)

i set session encrypt and set crypt key in config and saving md5(password) in DB,

can you tell me this is right way for simple (but secure) login system?

Don't use MD5, use bcrypt via http://php.net/password
(04-07-2015, 03:02 AM)casa Wrote: [ -> ]Try to prefer, $this->session->userdata(..) instead of  $ci->session->userdata(..). That avoid you to create again an instance of $CI.

thanks casa fo your reply, about this or CI, i put login and logout methods in user_helper so cant use $this,


Code:
Don't use MD5, use bcrypt via http://php.net/password

how i can use encrypt ket (in config file) as salt for this function? Rolleyes
(04-07-2015, 08:16 AM)nasser.man Wrote: [ -> ]
Code:
Don't use MD5, use bcrypt via http://php.net/password

how i can use encrypt ket (in config file) as salt for this function? Rolleyes

Don't!

Leave the salt to be generated by PHP itself.
(04-07-2015, 10:39 AM)gabrielpasv Wrote: [ -> ]use ion_auth
gabrielpasv,
ion_auth is really nice and complete auth. solution for CI, but in my case i need simple (but secure) system, ... flexi and tank are good as ion_auth. thanks for suggestion,