Welcome Guest, Not a member yet? Register   Sign In
Managing login to multiple codeigniter application with ion_auth
#1

Hi, the scenario is that we host 3 different CI apps that uses ion_auth for authentication module, and all 3 are hosted on the same server. The 3 has its own database where ion_auth should look for matching credentials
for example we have

app1's admin is : '[email protected]', with db : 'app1_db', url : '192.168.1.100/app1'
app2's admin is : '[email protected]', with db : 'app2_db', url : '192.168.1.100/app2'

app1's admin password is : 'monkey' while app2's admin password is different, say : 'horse'

If app1's admin login succesfully to the app1 system, the current behaviour is that if he types url to app2, he app1's admin can also access app2 system too


I don't think this is the intended behaviour. Problem is, maybe I don't know how to make separation among these 3 CI apps correctly. I'd thought by having separate databases for credentials is sufficient. Maybe there's something with sessions that can be done ?
Reply
#2

Sounds like a security issue where good session cookie is allowing instant login, yes?
Reply
#3

(03-25-2018, 12:23 AM)skunkbad Wrote: Sounds like a security issue where good session cookie is allowing instant login, yes?

Thanks for you reply. Any pointer to quickly overcome my problems above ? 

I guess there are myriad solutions out there. And while I research which one is suitable for what is needed in this scenario, I could just go with disabling Cookies in CI apps, no ?
Reply
#4

How have you configured your cookies correctly?
PHP Code:
$config['cookie_prefix']    = 'app1_';
$config['cookie_domain']    = '192.168.1.100';
$config['cookie_path']        = '/app1/';

$config['cookie_prefix']    = 'app2_';
$config['cookie_domain']    = '192.168.1.100';
$config['cookie_path']        = '/app2/'
Reply
#5

(This post was last modified: 03-29-2018, 05:26 PM by ciadmin.)

Define two time cookies in config file. but session only single time.
$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

By:Xtreem Solution

**SEO spam links redacted**
Reply
#6

(This post was last modified: 03-30-2018, 09:25 PM by aleifuu.)

Thanks for all your suggestions. Appreciate it =)


*Update 31 March 2018*

pretty much solve it by giving each app their unique session name in config.php 
previously all 3 apps use the same 'ci_session' as session name/identifier. I guess that's what mixes it up 
haven't had time fiddling around /w cookies, but I think will make sure unique cookies name based on domain and path as well

Cheers,
Reply




Theme © iAndrew 2016 - Forum software by © MyBB