Login

02-04-2010, 10:14 PM

[eluser]Joseph Wensley[/eluser]
I've built my own authentication system for a project but I just realized I have a security hole I'm not completely sure how to fix it.

I'm using CI's built in session management and checking the session to see if the user is logged in.

Code:
function is_loggedin()

    {

        //Get an instance of the Codeigniter object

        $CI =& get_instance();

        if($CI->session->userdata('logged_in') == TRUE)

        {

            return TRUE;

        }else{

            return FALSE

        }

    }

But I've realized if a user is deleted they won't be logged out until the session expires.

My two solutions that I've thought of are to only store the users id and check the database every time this is_loggedin() is called OR check the user_data of every session in the DB and delete any that are from the user being deleted.

Any thoughts about which of these would be the best way to go about it or is there another option I am not thinking of.