Authentication and Sessions

[eluser]Peng Kong[/eluser]
[quote author="Michael Wales" date="1265405068"]
Wouldn't it be exponentially more secure to store the user ID and a hash of some of the user's data in the session? This simple change, regardless of the application's configuration, gives you the means to identify the user (the ID) and validate the session data hasn't been tampered with (the hashed data from their record).
[/quote]

Interesting~... and that's an good idea Michael.

I didn't really think about "regardless of the application's configuration" part since I thought it was obvious you shouldn't store the id IN a plaintext cookie (which user can edit) and use it straight away to consider the user authenticated! okay never mind you're right... bad assumption.

i mean hell~ i wont even store it with some encrypted hash... someone might figure out how you're hashing it and there goes security. and isn't that still vulnerable to spoofing and session fixation?! even though you can't edit the id because you can't guess the hash?

Wow but it looks like alot of other auth libraries also didn't consider the fact that a programmer might have his ci session setting not using db.

using db for ci session does have it's pro & cons but NOT in the case where you're using it for authenication imo. There's no option you have to use db. don't store anything in a cookie seriously just store it in the database. cookie is just there to say you own this session in db. there's no security w/o db.