Managing login to multiple codeigniter application with ion_auth |
Hi, the scenario is that we host 3 different CI apps that uses ion_auth for authentication module, and all 3 are hosted on the same server. The 3 has its own database where ion_auth should look for matching credentials
for example we have app1's admin is : '[email protected]', with db : 'app1_db', url : '192.168.1.100/app1' app2's admin is : '[email protected]', with db : 'app2_db', url : '192.168.1.100/app2' app1's admin password is : 'monkey' while app2's admin password is different, say : 'horse' If app1's admin login succesfully to the app1 system, the current behaviour is that if he types url to app2, he app1's admin can also access app2 system too I don't think this is the intended behaviour. Problem is, maybe I don't know how to make separation among these 3 CI apps correctly. I'd thought by having separate databases for credentials is sufficient. Maybe there's something with sessions that can be done ?
Sounds like a security issue where good session cookie is allowing instant login, yes?
(03-25-2018, 12:23 AM)skunkbad Wrote: Sounds like a security issue where good session cookie is allowing instant login, yes? Thanks for you reply. Any pointer to quickly overcome my problems above ? I guess there are myriad solutions out there. And while I research which one is suitable for what is needed in this scenario, I could just go with disabling Cookies in CI apps, no ?
How have you configured your cookies correctly?
PHP Code: $config['cookie_prefix'] = 'app1_';
Define two time cookies in config file. but session only single time.
$config['sess_driver'] = 'database'; $config['sess_cookie_name'] = 'ci_session'; $config['sess_expiration'] = 7200; $config['sess_save_path'] = 'ci_sessions'; $config['sess_match_ip'] = FALSE; $config['sess_time_to_update'] = 300; $config['sess_regenerate_destroy'] = FALSE; By:Xtreem Solution **SEO spam links redacted**
Thanks for all your suggestions. Appreciate it =)
*Update 31 March 2018* pretty much solve it by giving each app their unique session name in config.php previously all 3 apps use the same 'ci_session' as session name/identifier. I guess that's what mixes it up haven't had time fiddling around /w cookies, but I think will make sure unique cookies name based on domain and path as well Cheers, |
Welcome Guest, Not a member yet? Register Sign In |