[eluser]Unknown[/eluser]
Hello.. first of all I'm pretty new with codeigniter and my english isn't really good.. I'll try be clear as possible.
I don't really understand how CI sessions works..
I make an example so you can understand better
login page (simplified):
Code:
if($this->login())
{
$this->load->library('session'); (it saves on ci_session table: session_id, ip_address, user_agent, last_activity)
$this->session->set_userdata('user_id', $this->id); (user_id used for set the page based on it, (ex: user profile?))
redirect('protectpage');
}
so now, to show the page only to logged users I did something like that:
protectpage:
Code:
$this->load->library('session'); (it saves on ci_session table: session_id, ip_address, user_agent, last_activity)
if($this->session->userdata('session_id') && preg_match("/^[a-zA-Z0-9]{32}$/", $this->session->userdata('session_id') ))
{
$this->db->from('ci_sessions');
$this->db->where('session_id', $this->session->userdata('session_id'));
$query = $this->db->get();
if($query->num_rows() > 0)
{
echo "logged...";
}
}
if I do this, the user will always be logged because when I load the session library it saves a new session on the database/cookie..
I guess I should do in login page something like that
$this->session->set_userdata('logged_in', TRUE);
but how much this is secure? i mean if someone when logged change the ci_session cookie with another user_id whats will happens?
and last question..
the session_id changes every 5 minutes but the old session doesnt be removed immediately.. it will be removed based on random time right?
thanks for help ^^