Redux Authentication 1.4a (24th July 2008)

[eluser]Sceneshift[/eluser]
Sure, I am aware of the functions, I just coded my own to incorporate some other aspects of my application. What I am worried about is security, for example I am checking if the user owns the page (and thusly has the rights to edit it) by checking if their session id matches the user_id in the database for that entry.

I am worried that session id could be potentially hacked?

[eluser]Popcorn[/eluser]
Thanks for your concern Sceneshift.

Well, since you are using your own login functions I will guide you on the 'login' logic.

A user will provide both an email address and a password, the method will then look up the email address and grab some data from the users table (hash, password, etc ...)

Both passwords will be hashed and then checked against each other, if they match then the users_id is set in the session.

The user_id is then used to identify the visitor, if the user_id exists, we assume they're logged in. From here we can check what group they're part of, etc ...

My advice to you would be to enable browser and ip checking in the CodeIgniter config.

Making Redux More Secure

Redux Authentication at the moment does not incorperate a database session library so information is stored on the clients machine. However, we assume some clients will hack the cookie and gain access like you suggested. You will need to use a drop in session replacement if you want to up the security.

http://codeigniter.com/wiki/KNDB_Session/
http://codeigniter.com/wiki/DB_Session/
http://codeigniter.com/wiki/DB2_Session/
http://codeigniter.com/wiki/NG_Session/
http://codeigniter.com/wiki/OB_Session/

These will take the information from the clients machine and store it in the database.

I've not decided if I should include a session library with Redux Authentication yet. Your views are appreciated, but I highly suggest anyone using this in a commercial environment to use a database session library.



Kind Regards,
-Mathew

[eluser]Sceneshift[/eluser]
Thanks for the notes there popcorn, it's nice to see you are passionate about your library enough to take the time to give such a well formed answer.

I'm a little confused where you say that Redux doesn't use database session library, what is the difference between that and the session table we setup during installation?

I'll definitely turn on browser and IP checking though! Good tip there.

[eluser]Popcorn[/eluser]
Well, CodeIgniter only stores the User Agent, IP Address, Date, etc ... in the database, but not the actual session data, but stores in the cookie. This is client side and session data can be edited (Bad)

A 3rd party session library will add a new column to your sessions table called session_data and store data there so the client has no chance of editing it.

[eluser]Sceneshift[/eluser]
Hmmm, is it not more efficient to encrypt and decode the session data using the built in code igniter encryption class?

[eluser]Popcorn[/eluser]
Maybe ...

But remember anyone can download CodeIgniter and view how it encrypts and decrypts those cookies, so with that information they could create their own fake cookie.

With a DB session, it's not possible.

[eluser]Sceneshift[/eluser]
Thanks for the help popcorn. This worries me a bit because I am working on a large scale, commercial project (and before you say that I shouldn't use CI for anything like that, it's my own company and we can't afford a huge development team) so I would be interested in any information / updates which go about making redux more secure.

Thanks again.

[eluser]Popcorn[/eluser]
As I said, use a 3rd party session library that stores it's data in the database and you'll be good to go.

No problem.

[eluser]Sceneshift[/eluser]
Adding an extra SQL query every time I want to authenticate seems like it might be a bit heavy... I might just add another password check every time the user edits any information which needs to be extra secure.

[eluser]Popcorn[/eluser]
Adding 1 extra SQL query wont be detrimental to your applications performance. A select statement is around 0.002 s