CodeIgniter Forums
Delete and *never use* ci_session cookie? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Delete and *never use* ci_session cookie? (/showthread.php?tid=12473)



Delete and *never use* ci_session cookie? - El Forum - 10-20-2008

[eluser]IanMcQ[/eluser]
Hi,

I've recently switched over the authentication system on my site and it doesn't use ci_session, the stock Sessions class, or any of that stuff. However, since the stock Sessions class was used previously, user data from the old system is still stored in cookie "ci_session." How can I delete this cookie (or overwrite it with an empty array of data) and never use it again?

I want all traces of the ci_session cookie off the site basically. Let me know.


Delete and *never use* ci_session cookie? - El Forum - 10-20-2008

[eluser]roj[/eluser]
Would it not just be matter of leaving
Code:
$this->session->sess_destroy();
in the code?

Just as a point of interest why are you not using it?


Delete and *never use* ci_session cookie? - El Forum - 10-20-2008

[eluser]IanMcQ[/eluser]
Thanks.

The reason why I've switched authentication systems is because I believe a hacker abused the (bad) system that I had set up w/ CI. You see, I wanted to be able to access user data DIRECTLY from the database. So, I ran a hook on every page to update the session information ($this->session->set_userdata) to keep the session in sync with the database. The session data (cookie, ci_session) had EVERYTHING about a user, including things like issiteadmin=1, etc.

So, my guess is a hacker screwed with his or her browser to change that cookie to say issiteadmin=0 to issiteadmin=1. Thus, giving them access to my web-based admin panel.

As to the new authentication system... well, I'll keep that a secret. Wink


Delete and *never use* ci_session cookie? - El Forum - 10-20-2008

[eluser]roj[/eluser]
Ah,

not sure if i'm reading you right but if you were loading everything into the cookie for every page view anyway would it not have been better practise to store the info in it's own object or array?


Delete and *never use* ci_session cookie? - El Forum - 10-21-2008

[eluser]oll[/eluser]
I don't know if there's an ignited code for this.
What I did for my website is for being sure to delete everything (I know it's redondant but I'm a bit paranoid Wink) is :

Code:
function logoff () {
$this->session->sess_destroy();
foreach ($_COOKIE as $key=>$value) {
  setcookie($key,"",1);
  }
}



Delete and *never use* ci_session cookie? - El Forum - 10-21-2008

[eluser]johnwbaxter[/eluser]
Why not just store the cookie data in the database then you wont have that problem.