+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: flash_data safety (/showthread.php?tid=31347)
Pages:
1
2
flash_data safety - El Forum - 06-15-2010
[eluser]newtonianb[/eluser]
Can flash_data be tempered with by a user is it local or server storage?
I would like to store user submitted information in flash_data and use it in a different controller that gets redirected and I don't want to have to repeat the data validation again in this second controller as long as the data remained safe across the redirect.
flash_data safety - El Forum - 06-16-2010
[eluser]WanWizard[/eluser]
You can tamper with everything, but in this case it's not going to be easy.
If you use the session library without the database, session data is stored in a cookie, client side. If you use the database, no session data is send to the client.
In either case, don't forget to encrypt the cookie, and use an encryption key with enough entropy.
flash_data safety - El Forum - 06-16-2010
[eluser]newtonianb[/eluser]
Thanks WanWizard!
When you talked about database, do you mean I can specify an option for flash data to use database instead of cookie? Or did you mean I can implement my own system and manually insert data into database?
flash_data safety - El Forum - 06-16-2010
[eluser]WanWizard[/eluser]
I meant the session library using a database table for session storage. This is described in the manual. No need to waste time developing something yourself.
flash_data safety - El Forum - 06-16-2010
[eluser]newtonianb[/eluser]
ah thats awesome thanks alot
flash_data safety - El Forum - 06-16-2010
[eluser]Burak Guzel[/eluser]
Storing session data on client side is not such a good idea, mainly for security reasons. Not sure why the CI team went with that as the default option.
I have used native sessions for years, and they are always server-side by default.
flash_data safety - El Forum - 06-16-2010
[eluser]newtonianb[/eluser]
Burak, how are the performance difference, is the load on the server very much more if we use database?
Also does it make any sense to use session encryption if we are storing in database?
flash_data safety - El Forum - 06-16-2010
[eluser]Burak Guzel[/eluser]
On high traffic websites, it is not a good idea to use mysql for session storage. We prefer to use memcached, which is very fast and scalable.
But on small websites, it's not a big deal.
And no, you generally don't really need to encrypt session data, if stored server-side, as it's not something that surfers can access directly.
flash_data safety - El Forum - 06-17-2010
[eluser]WanWizard[/eluser]
[quote author="Burak Guzel" date="1276743430"]Not sure why the CI team went with that as the default option.[/quote]
CI, out of the box, is not database driven. Making it a default is not very handy. Besides that, it's well documented.
CI only encrypts the part that goes to the client, not the data in the database.
flash_data safety - El Forum - 06-17-2010
[eluser]cahva[/eluser]
The thing is, that CI should have option to use native session or database for sessions in the first place. Error is the cookie based session as default which is kind of dum.