Login

02-05-2010, 08:31 AM

[eluser]Peng Kong[/eluser]
Sorry Michael, maybe there's something you know that I don't. Don't worry there's really no offense taken, maybe I can get to learn something new here.

Please teach me how to hijack and spoof a CI Session that uses encrypted cookie and database.

And EVEN if the cookie wasn't encrypted... and EVEN if you could spoof the session (by stealing or recreating the cookie before the 5 min refresh, and matching the ip address and user agent) how would you change the "integer" in the database for the session you managed to spoof and be logged in as anyone you like?

Also isn't that what dx_auth, tank_auth and all other auth libs do?

dx_auth

Code:
// Set session data array

        $user = array(                        

            'DX_user_id'                        => $data->id,

            'DX_username'                        => $data->username,

            'DX_role_id'                        => $data->role_id,            

            'DX_role_name'                    => $role_data['role_name'],

            'DX_parent_roles_id'        => $role_data['parent_roles_id'],    // Array of parent role_id

            'DX_parent_roles_name'    => $role_data['parent_roles_name'], // Array of parent role_name

            'DX_permission'                    => $role_data['permission'],

            'DX_parent_permissions'    => $role_data['parent_permissions'],            

            'DX_logged_in'                    => TRUE

        );

        $this->ci->session->set_userdata($user);

Code:
// Check if user is logged in

    function is_logged_in()

    {

        return $this->ci->session->userdata('DX_logged_in');

    }

tank_auth

Code:
// Login user

                        $this->ci->session->set_userdata(array(

                                'user_id'    => $user->id,

                                'username'    => $user->username,

                                'status'    => STATUS_ACTIVATED,

                        ));

Code:
function is_logged_in($activated = TRUE)

    {

        return $this->ci->session->userdata('status') === 

($activated ? STATUS_ACTIVATED : STATUS_NOT_ACTIVATED);

    }

Simplelogin

Code:
//Set session data

                $this->CI->session->set_userdata(array('id' => $user_id,'username' => $user));

ReduxAuth

Code:
$this->session->set_userdata($identity_column,  $result->{$identity_column});

i could list 10 more example that store ID in session to consider a user signed in.

maybe we're all wrong and shouldn't write authentication stuff... =(

How would you consider a user signed in without storing ID in session?

Please enlighten!