Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Session data
Session data
  • El Forum
    Guest
  •  
#1
08-12-2010, 08:13 AM

[eluser]rijobo[/eluser]
Hello,

I've got a login form which I'm using from the book Professional Codeigniter.

This is the function in the model:

Code:
function verifyUser($u,$pw){
        $this-> db-> select('id,gebruikersnaam');
        $this-> db-> where('gebruikersnaam',$u);
        $this-> db-> where('wachtwoord', $pw);
        $this-> db-> where('status', 'actief');
        $this-> db-> limit(1);
        $Q = $this-> db-> get('leden');
        if ($Q-> num_rows() > 0){
            $row = $Q-> row_array();
            $_SESSION['gebruikersid'] = $row['id'];
            $_SESSION['gebruikersnaam'] = $row['gebruikersnaam'];
        }else{
            $this-> session-> set_flashdata('error', 'Sorry, uw gebruikersnaam of wachtwoord is niet juist!');
        }
    }
When I echo $_SESSION[ 'gebruikersid'] I see 1, so that's correct.

This controller function uses this model function:

Code:
function verify(){
        if ($this-> input-> post('gebruikersnaam')){
            $u = $this-> input-> post('gebruikersnaam');
            $pw = $this-> input-> post('wachtwoord');
            $this-> mleden-> verifyUser($u,$pw);
            if ($_SESSION['gebruikersid'] > 0){
                redirect('ledenhoek/dashboard','refresh');
            }
        }
    }

It redirects me to ledenhoek/dashboard, which is de controller function:

Code:
class Dashboard extends Controller {
    function Dashboard(){
        parent::Controller();
        session_start();
        if ($_SESSION['gebruikersid'] < 1){
            redirect('home/index','refresh');
        }
    }
    
    function index(){
        $data['title'] = "Ledenhoek Just4Fun";
        $data['main'] = 'content';
        $data['content'] = $this->mpaginas->getContent('leden_home');
        $this-> load-> vars($data);
        $this-> load-> view('dashboard');
    }
}

The problem is that this page redirects me to home/index, but I do have the $_SESSION['gebruikersid'] set.
Can anybody help me with this?
  • El Forum
    Guest
  •  
#2
08-12-2010, 09:36 AM

[eluser]WanWizard[/eluser]
CodeIgniter doesn't use (without external libraries) standard PHP sessions. So you don't need session_start(), and you can't use direct access to $_SESSION. Instead, check the user guide on how to use sessions.
  • El Forum
    Guest
  •  
#3
08-12-2010, 04:06 PM

[eluser]rijobo[/eluser]
Thank you!
But the book says that when you use login systems, you should use standard PHP sessions and not the CI sessions, because of the security. Isn't that true?
  • El Forum
    Guest
  •  
#4
08-12-2010, 04:24 PM

[eluser]WanWizard[/eluser]
How old is this book?

Earlier versions (like pre 1.5) used only cookies to store session information. Which indeed isn't that secure, since you're sending sensitive info to the client.

The current CI version however supports database sessions. In which case all session data is stored in a database table, and only the session_id is sent to the client in a cookie, which you can encrypt for further security. If you setup your sessions to use the database, no data is sent to the client, it can be used for security sensitive information without problems.
  • El Forum
    Guest
  •  
#5
09-20-2010, 10:10 AM

[eluser]glopglop[/eluser]
[quote author="WanWizard" date="1281669850"]
The current CI version however supports database sessions. In which case all session data is stored in a database table, and only the session_id is sent to the client in a cookie, which you can encrypt for further security. If you setup your sessions to use the database, no data is sent to the client, it can be used for security sensitive information without problems.[/quote]

And if I do not want to use neither DB nor Cookies (only memory) ? I had a look to Native Session (http://codeigniter.com/wiki/Native_session/) and it looks like the correct solution, am I right ?
  • El Forum
    Guest
  •  
#6
09-20-2010, 02:55 PM

[eluser]WanWizard[/eluser]
1) all session solutions use a cookie. The only alternative is PHP's native sessions that supports adding the session ID to the URL, which is something you shouldn't do.
2) you should always store data server side. That rules out the cookie-only solution CI provides by default, and leaves only the database solution.
3) 3rd party solutions are available that use different storage solutions, file based (native session) or mixed.

I've still have to run into the first situation where file based session storage is a better solution than database storage. The only situation I can think of is if you have a server with a fast disk and a slow database (shared hosting?). But imho that doesn't solve any thing, because it will give you slighly faster session I/O, but your application itself will still be very slow, since session I/O is limited to one read and one write per session (you have to extend the session class for that), the rest of your application requires a lot more database access, and with probably a lot more complex queries...
  • El Forum
    Guest
  •  
#7
09-21-2010, 01:40 AM

[eluser]glopglop[/eluser]
[quote author="WanWizard" date="1285034135"]1) all session solutions use a cookie. The only alternative is PHP's native sessions that supports adding the session ID to the URL, which is something you shouldn't do.
2) you should always store data server side. That rules out the cookie-only solution CI provides by default, and leaves only the database solution.
3) 3rd party solutions are available that use different storage solutions, file based (native session) or mixed.

I've still have to run into the first situation where file based session storage is a better solution than database storage. The only situation I can think of is if you have a server with a fast disk and a slow database (shared hosting?). But imho that doesn't solve any thing, because it will give you slighly faster session I/O, but your application itself will still be very slow, since session I/O is limited to one read and one write per session (you have to extend the session class for that), the rest of your application requires a lot more database access, and with probably a lot more complex queries...[/quote]

As I do plan to use Amazon Database services for DB hosting, inserting elements in the DB for session is going to cost a lot of money (as new element insertion is part of the pricing).
I was much more considering using HTTPS & encrypted session ID in the URL (as on client-side I am not using a web browser but an Iphone application accessing XML RPC services powered by CI)




Theme © iAndrew 2016 - Forum software by © MyBB