Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Delete and *never use* ci_session cookie?
Delete and *never use* ci_session cookie?
  • El Forum
    Guest
  •  
#3
10-20-2008, 04:56 PM

[eluser]IanMcQ[/eluser]
Thanks.

The reason why I've switched authentication systems is because I believe a hacker abused the (bad) system that I had set up w/ CI. You see, I wanted to be able to access user data DIRECTLY from the database. So, I ran a hook on every page to update the session information ($this->session->set_userdata) to keep the session in sync with the database. The session data (cookie, ci_session) had EVERYTHING about a user, including things like issiteadmin=1, etc.

So, my guess is a hacker screwed with his or her browser to change that cookie to say issiteadmin=0 to issiteadmin=1. Thus, giving them access to my web-based admin panel.

As to the new authentication system... well, I'll keep that a secret. Wink


Messages In This Thread
Delete and *never use* ci_session cookie? - by El Forum - 10-20-2008, 02:03 PM
Delete and *never use* ci_session cookie? - by El Forum - 10-20-2008, 03:14 PM
Delete and *never use* ci_session cookie? - by El Forum - 10-20-2008, 04:56 PM
Delete and *never use* ci_session cookie? - by El Forum - 10-20-2008, 05:02 PM
Delete and *never use* ci_session cookie? - by El Forum - 10-21-2008, 08:14 AM
Delete and *never use* ci_session cookie? - by El Forum - 10-21-2008, 08:38 AM



Theme © iAndrew 2016 - Forum software by © MyBB