CodeIgniter Forums
setting custom session variables - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forum-21.html)
+--- Thread: setting custom session variables (/thread-4470.html)

Pages: 1 2


setting custom session variables - El Forum - 11-27-2007

[eluser]mistress_shiira[/eluser]
hi guys!
i just want your comments on this.i have a callback function on my validation that checks for the username and password.i tried to set the logged_in field to 1 on successful validation before directing it to another page.
i tried to do this:
Code:
$this->session->set_userdata('logged_in',1);
but when i look at my ci_sessions table,the logged_in field remained 0.

is session the correct way for me to do this or not?
basically,i dont want the users to be able to access other pages if they are not logged in.

thanks!


setting custom session variables - El Forum - 11-27-2007

[eluser]gtech[/eluser]
I have used the session for the same purpose and it works well. The session does time out (which is a good thing)

does this bit of code work (you should get a 1 displayed on the page)?
Code:
$this->session->set_userdata('logged_in',1);
print_r($this->session->userdata('logged_in'));



setting custom session variables - El Forum - 11-27-2007

[eluser]Michael Wales[/eluser]
Using the default sessions library - only the standard session data is saved to the database. Custom session is still save to the cookie - even if you configure it to use the database.


setting custom session variables - El Forum - 11-28-2007

[eluser]mistress_shiira[/eluser]
@gtech: yes i tried that and got 1 on the page as output but then
when i verify it on my database,the value does not change.


setting custom session variables - El Forum - 12-07-2007

[eluser]WolfgangA[/eluser]
I just wonder wether:

- Storing the userid (encrypted) in a cookie should be considered an security issue?
And if so:
- Wether it would make sense to extend the Session lib to support storing the user_id in the db?

Regards

Wolfgang


setting custom session variables - El Forum - 12-16-2007

[eluser]theswede[/eluser]
*bump*

Is it standard praxis to store variables such as 'is_logged_in' using the session lib? Does CI in any way prevent tampering of those cookies?


setting custom session variables - El Forum - 01-05-2008

[eluser]WolfgangA[/eluser]
You can use a session lib, that does store sessiondata (except the session_id of cause) in a database on the serverside.
You can also encrypt session data.


setting custom session variables - El Forum - 01-07-2008

[eluser]theswede[/eluser]
So it is dangerous to store sessions in this way?


setting custom session variables - El Forum - 01-07-2008

[eluser]tonanbarbarian[/eluser]
Technically if your session processing is just storing information the cookie it could be considered dangerous
But how often do you find a situation where someone has actually modified their cookie data?
The average visitor to your site would have NO CLUE how to modify the cookie data.

That said I prefer to put NOTHING in the cookie that is not needed. So if I can I will use a session library (like db_session) that stores all of the data on the server somewhere (in the case of db_session in the database) thus ensuring that the user cannot change any data except via the interface given in the website.

If all you are storing in the session is their choice of favorite colour or something innocent like that dont worry, but if you are storing anything to do with user authentication and validation it should not be in the cookie.
For authenticated sessions only a unique session id should be in the cookie.

Just my opinion


setting custom session variables - El Forum - 01-10-2008

[eluser]theswede[/eluser]
[quote author="tonanbarbarian" date="1199784497"]Technically if your session processing is just storing information the cookie it could be considered dangerous
But how often do you find a situation where someone has actually modified their cookie data?
The average visitor to your site would have NO CLUE how to modify the cookie data.

That said I prefer to put NOTHING in the cookie that is not needed. So if I can I will use a session library (like db_session) that stores all of the data on the server somewhere (in the case of db_session in the database) thus ensuring that the user cannot change any data except via the interface given in the website.

If all you are storing in the session is their choice of favorite colour or something innocent like that dont worry, but if you are storing anything to do with user authentication and validation it should not be in the cookie.
For authenticated sessions only a unique session id should be in the cookie.

Just my opinion[/quote]

Thank you, that is exactly what I wanted to know Smile