Authentication and Sessions

[eluser]Peng Kong[/eluser]

Code:

Remember the difference between encrypting and hashing - hashing is one way. Sure, a rainbow table is going to find the hash for integers pretty quick, but it would take quite awhile for a rainbow table to find the hash for an unknown combination of data (let's say, a concatenation of the user's salt, username, password, and timestamp of record creation). That's where the true security lies in this - you grab their ID and token (the concatenation hash), select on the DB, hash their record and see if it matches the token. If not, something has been tampered with.

ok but can't i simple juz copy the cookie when the user isn't at his desk and do a session fixation attack from my own com?

sorry i really dunno how non-db ci sessions works... i always use db sessions because authentication is my main use case for sessions.

oh and what unknown combination are you taking about with a auth library released in the open? haha everyone knows the long combination unless you change it. And if you're smart enough to change it for security you would have figured no cookie standalone auth is going to work.