[eluser]boltsabre[/eluser]
Change your config
Code:
$config['sess_cookie_name'] = 'ci_session';
to something obscure like
Code:
$config['sess_cookie_name'] = 'sd8fd8343k3';
Otherwise a hacker can come along and see the "ci_session" in their cookies and go "wow... so now I know this website is using CodeIgniter, do I know any tricky little hacks just for CI? And as such, I now ALSO know it's going to be a PHP application, what hacks do I know related to PHP?". Not a major thing, but for such an easy fix well worth your efforts - keep those little buggers guessing everything as long as possible! (in the same vein, you should modify your .htaccess/index.php and remove any and all mentions to .php in your urls).
Another trick I use is when someone logs in I store their user_id and email_address (plus some other stuff) in the session. I also "double" store the user_id and email_address in the session, but call it something obscure in the session like "old_promo_code" and "referal_code". I'll also add a random 10 characters to the start and end of both of these "obscure" entries.
Then (I keep my function "is_logged_in" in a helper) when I call the just mentioned function on my restricted pages I'll strip those random characters out and then compare if "user_id" == "old_promo_code" and if "user_email" == "referal_code". It's just a little check, if they've already hacked you're session, you've got bigger fish to fry, but it should catch the non-advanced hackers who try to change the session user_id or email, but miss the "double" up of it.
If it passes the above test, I'll then also get the user email from the DB related to session user_id. If they don't match, login failed. This stops people from tampering with the actual session user_id... they can change it, but unless the also know the matching email address then they're stuck.
I'm not a security expert, but all these above things are pretty low in processing power/db hits, and all just add a few little extra layers of protection and complexity to a potential hacker to try to get around... with soooo many insecure sites out there, unless yours makes an exciting target (ie, storage of credit card details), if you make it hard enough, most hackers will just give up after a little and try to find some easier prey.