[eluser]earlyriser[/eluser]
Here is the login function from SimpleSecureLogin. When the user logs, the session is destroyed and a new one is created.
If I delete the lines of DESTROY OLD SESSION and CREATE FRESH SESSION I can conserve the cart, but I want to know which security issues this could bring.
Code:
function login($user_email = '', $user_pass = '')
{
$this->CI =& get_instance();
if($user_email == '' OR $user_pass == '')
return false;
//Check if already logged in
if($this->CI->session->userdata('user_email') == $user_email)
return true;
//Check against user table
$this->CI->db->where('user_email', $user_email);
$query = $this->CI->db->getwhere($this->user_table);
if ($query->num_rows() > 0)
{
$user_data = $query->row_array();
$hasher = new PasswordHash(PHPASS_HASH_STRENGTH, PHPASS_HASH_PORTABLE);
if(!$hasher->CheckPassword($user_pass, $user_data['user_pass']))
return false;
//Destroy old session
$this->CI->session->sess_destroy();
//Create a fresh, brand new session
$this->CI->session->sess_create();
$this->CI->db->simple_query('UPDATE ' . $this->user_table . ' SET user_last_login = NOW() WHERE user_id = ' . $user_data['user_id']);
//Set session data
unset($user_data['user_pass']);
$user_data['user'] = $user_data['user_email']; // for compatibility with Simplelogin
$user_data['logged_in'] = true;
$this->CI->session->set_userdata($user_data);
return true;
}
else
{
return false;
}
}
