Authentication and Sessions

[eluser]Peng Kong[/eluser]
[quote author="Peng Kong" date="1265408196"]
oh and what unknown combination are you taking about with a auth library released in the open? haha everyone knows the long combination unless you change it. And if you're smart enough to change it for security you would have figured no cookie standalone auth is going to work.[/quote]

sorry bad habit of editing stuff into posted stuff.

yep so as i was saying the worst case scenario is that the programmer won't change the default combination of stuff you used to hash, making it way less secure.
maybe only timestamp isn't guessable... but anyway this discussion won't go far. cookie standalone security is a bad idea. what so hard about

Code:

$config['sess_use_database']    = TRUE;

makes everything so much more secure.

ci session without db isn't mean for auth... it's meant for say.. some flashdata kind of usage. maybe they should write that somewhere in the manual... wait in fact they did.

unless you store session data in a database there is no way to validate it.