![]() |
Uber-simple login script... - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: Uber-simple login script... (/showthread.php?tid=12310) |
Uber-simple login script... - El Forum - 10-14-2008 [eluser]Tim Skoch[/eluser] I wanted a simple way to block all public access to a site except for a few whitelisted controllers. This is what I came up with. I'm using a pre_controller hook. I'd like to use a pre_system hook (because I'm irrationally paranoid :-) ), but I cannot think of a good way to get the routed URI's that early. Anyway - any thoughts from the community? Criticism? Is this secure? Can I make it even simpler? So far it seems to work great! It also maintains user activity timestamps (for logged-in users only) in session variables, and expires logins automatically. The hook definition: Code: $hook['pre_controller'] = array( The hook script: Code: <? Uber-simple login script... - El Forum - 10-14-2008 [eluser]crumpet[/eluser] if you really want to be secure you can use javascript to md5 the password before sending it encase someone is listening - or ssh i guess. Also this statement : isset( $_SESSION['lastactivity']) && is_numeric( $_SESSION['lastactivity']) && ((time()- $_SESSION['lastactivity'])>$loginLength) will fail if last activity is not a number.. so a user could steal a cookie and tamper it to have lastactivity = 'a' or something and it would last forever... Uber-simple login script... - El Forum - 10-14-2008 [eluser]Tim Skoch[/eluser] Thanks! The JavaScript idea sounds fun. I don't understand how someone could tamper with a $_SESSION[] variable, though. When PHP uses sessions, the only thing it sends to the user is their session ID - it stores all of the data on the server (at least that's what I understood - but I've been wrong before!). Hence, all they could POTENTIALLY do is spoof a session which wasn't theirs. But I don't think they can inject arbitrary data into the $_SERVER variables. Anyway, thanks for the input! :-) Uber-simple login script... - El Forum - 10-14-2008 [eluser]crumpet[/eluser] i don't think that php does that natively. you need ot write a session library specifically to have it store the data on the server. You can enable it in the codeigniter configuration files.. but you have to create a special table in your database for the session to be stored in. Uber-simple login script... - El Forum - 10-14-2008 [eluser]Tim Skoch[/eluser] Hrmmm, looking into it further I really think PHP sessions only store the session ID on the client - all of the other data looks like it's stored on the server, isolated from the user. :-S Anyone else care to chime in? Uber-simple login script... - El Forum - 10-15-2008 [eluser]crumpet[/eluser] sorry, you are right on this one. I wonder why people in the community seem to value sessions storing in mysql database... anyone? Uber-simple login script... - El Forum - 10-15-2008 [eluser]Tim Skoch[/eluser] Maybe just the ease with which doing so allows you to save historical session info? User tracking? Unless you plan to save the info, I don't see any advantage to putting it into a database. Hmmm... |