Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Authentication and Sessions
Authentication and Sessions
  • El Forum
    Guest
  •  
#16
02-05-2010, 02:00 PM

[eluser]Joseph Wensley[/eluser]
[quote author="Michael Wales" date="1265405068"]You're making a lot of assumptions here though - you are assuming the developer has session encryption turned on and is using database storage of the session (which has its own set of pros/cons).

Your post also made it seem as if your authentication library was only storing the ID - no other information, which is obviously a bad idea.

Wouldn't it be exponentially more secure to store the user ID and a hash of some of the user's data in the session? This simple change, regardless of the application's configuration, gives you the means to identify the user (the ID) and validate the session data hasn't been tampered with (the hashed data from their record).[/quote]

I am using encrypted sessions and database storage so I don't think anyone spoofing the session will be an issue.

As for storing the id and a hash in the session would something like this be what you mean?
Code:
<?php
function login()
{
    $CI =& get_instance();
    
    $data['username'] = $CI->input->post('username');
    $data['password'] = $this->hash_password($CI->input->post('password'));

    $query = $CI->db->get_where('users', array('username' => $data['username'], 'password' => $data['password']));
    $rows = $query->num_rows();
    
    if($rows == 1)
    {
        $row = $query->row();
        
        $hash = $this->hash_password($row->username.$row->id.->$row->password);
        
        $session_data = array(
            'user_id'        => $row->id,
            'hash'            => $hash,
        );
        $CI->session->set_userdata($session_data);
        
        return array(TRUE, null);
    }
    else
    {
        return array(FALSE, 'Username/Password combination does not exist');
    }    
}

function is_loggedin()
{
    $CI =& get_instance();

    if($CI->session->userdata('user_id') && $CI->session->userdata('hash')){
        $user_id = $CI->session->userdata('user_id')
        $sess_hash = $CI->session->userdata('hash');
        
        $query = $CI->db->get_where('users', array('id' => $user_id));
        $row = $query->row();
        
        $hash = $this->hash_password($row->username.$row->id.->$row->password);
        
        if($hash == $sess_hash){
            return TRUE;
        }else{
            return FALSE;
        }
    }else{
        return FALSE;
    }
}

?>


Messages In This Thread
Authentication and Sessions - by El Forum - 02-04-2010, 10:14 PM
Authentication and Sessions - by El Forum - 02-04-2010, 10:27 PM
Authentication and Sessions - by El Forum - 02-05-2010, 01:58 AM
Authentication and Sessions - by El Forum - 02-05-2010, 02:05 AM
Authentication and Sessions - by El Forum - 02-05-2010, 06:53 AM
Authentication and Sessions - by El Forum - 02-05-2010, 08:31 AM
Authentication and Sessions - by El Forum - 02-05-2010, 09:24 AM
Authentication and Sessions - by El Forum - 02-05-2010, 09:38 AM
Authentication and Sessions - by El Forum - 02-05-2010, 09:52 AM
Authentication and Sessions - by El Forum - 02-05-2010, 10:10 AM
Authentication and Sessions - by El Forum - 02-05-2010, 10:16 AM
Authentication and Sessions - by El Forum - 02-05-2010, 10:18 AM
Authentication and Sessions - by El Forum - 02-05-2010, 10:25 AM
Authentication and Sessions - by El Forum - 02-05-2010, 11:00 AM
Authentication and Sessions - by El Forum - 02-05-2010, 11:15 AM
Authentication and Sessions - by El Forum - 02-05-2010, 02:00 PM
Authentication and Sessions - by El Forum - 02-05-2010, 04:56 PM
Authentication and Sessions - by El Forum - 02-05-2010, 10:47 PM



Theme © iAndrew 2016 - Forum software by © MyBB