+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Best way to handle user auth? (/showthread.php?tid=3310)
Best way to handle user auth? - El Forum - 09-23-2007
[eluser]ballen[/eluser]
Hi all,
I was wondering, and not necessarily just in CI, what people regard as the best way to handle sessions and user authentication. Is it best to store the email and hashed password and recheck every time, or to set a "is_logged_in" type variable, and check this is true.
Or any other options? I was mainly wondering about database hits and security.
Thanks
Best way to handle user auth? - El Forum - 09-23-2007
[eluser]Majd Taby[/eluser]
well session info can be altered..so simply making it all hang on a boolean value leaves it out there...What i do is store session info in the DB, along with the user credentials. In the session, i save the session_id and the user_id, everytime i check for isLoggedIn i check the two values to the db.
EDIT: by the way, you can made the data global so you only check the db once
Best way to handle user auth? - El Forum - 09-23-2007
[eluser]Rick Jolly[/eluser]
Storing an "is_logged_in" boolean in the session is fine. You might store the username instead, or depending on your needs, a user object complete with roles for authorization purposes. At any rate, it's important to know about the security of your sessions. Does the session expire when the user's browser closes, or is it persistent (is the session id stored in browser memory or in a file on the client)? Are session data stored on the client or server? If session data is on the client, is it encrypted? If session data is stored on the server but not in your database, is it stored in a publicly accessible directory (/temp or /tmp)?
Best way to handle user auth? - El Forum - 09-24-2007
[eluser]danfreak[/eluser]
Hey ballen,
if you want a ready-to-go system to handle user authentication, registration, remember password, change password, ACL, system, check out FreakAuth.
It's a pluggable, layered (design separated from content) and extendable Auth/ACL library for CI.
Dan
PS: session stuff is stored in DB via the db-session library
Best way to handle user auth? - El Forum - 09-24-2007
[eluser]ballen[/eluser]
Thanks everyone, most helpful. In this case I want to be able to use the CI session library (thought most probably switch to DBsession), I was editing the "Userlib" library to better suit my needs, when I noticed it hits the database each time to check login and thought that there must be a better way of handling it.
[quote author="Rick Jolly" date="1190625416"]Does the session expire when the user's browser closes, or is it persistent (is the session id stored in browser memory or in a file on the client)?[/quote]
I'm using CI default setting here, so it will expire after 2 hours.
[quote author="Rick Jolly" date="1190625416"]Are session data stored on the client or server? If session data is on the client, is it encrypted?[/quote]
Will be stored in the cookie and database, although probably just database after switch to DBsession. Encryption set to true in CI config.
So basically I could:
Code:
$newdata = array(
'username' => 'johndoe'
);
$this->session->set_userdata($newdata);AND
Code:
if ($this->session->userdata('username')){
//logged in
}else{
//not logged in
}[Noob question alert] How would I go about storing a user object in the session?
[quote author="danfreak" date="1190637951"]Hey ballen,
if you want a ready-to-go system to handle user authentication, registration, remember password, change password, ACL, system, check out FreakAuth.
[/quote]
Thanks for that, I had seen it but its a bit too much for my needs, I'd already had a poke around in the source though
Thanks again
Best way to handle user auth? - El Forum - 09-24-2007
[eluser]deviant[/eluser]
You could store the whole object by using the serialize function, but I think thats maybe a little over the top. It's better to just store the user ID in the session and retrieve the rest of the user data from the DB on every page load.