Should session_regenerate_id be used in CI 3? |
Hello. I want to make my site more secure and wonder if/when one should use session_regenerate_id in CI 3.
Hello @php_rocs.
Thanks for answering. The application is online. For time reporting. Users can't get accounts from outside. Only existing user can register another user. Pages exposed to public: log-in page and forgot-password page. The login search db for username etc. If login failes, ip is saved in db, and to many failures blocks ip. When using forgot-pw-page an 'access-token' is baked in so a request must come from 'my' form (then I found CI has such security functions out of the box). For logged in users: There are 3 levels, superadmin company-boss, employed. Each controller function has a level check that guards level-wise (I started coding a 'concern-handler' that would protect 'resources' like userdata). A 4:th level is under development. I don't use bindning in queries. I make many queries in raw sql. On log out, I delete all session... In session I save: Username Userid Site language If a time report is started but not ended (work check in/out). Those features I recall now.
@valema,
NOT binding your queries could be a big security hole. It opens you up to possible SQL injections. Is your site https? If not then I would get the SSL cert and implement it for your site. This will also help your site to be listed higher at Google (https://fourdots.com/blog/why-you-need-s...et-it-2169).
I had a case where I used a "write_log" function that wrote to database, since I could not use error_log for a while.
Then I had lines similar to $data = array("check_out_time" => "2020-01-01 20:00"); $this->db->where('id', 2); $this->user_model->write_log("Will update post"); $this->db->update('time_reports', $data); I damaged 285 lines of data in database. The "where" call was lost after calling the "write_log". --- Edit/note: I can in general avoid such accident by avoiding Db-update. My model was a 'reports' model (for work - stamping in/out) having something similar like: starting_time, ending_time, staff_id, job_id. The design forces me to update a row when entering just the ending_time (at the check out). I can follow the normalization rules and make the 'check' atomic. The table would be split into two: A. Report (id, staff_id, job_id) B. Check (id, direction, time_of_reporting, report_id) Direction would be 'in' or 'out'. With such design the stamping out would mean an insert (not an update). My other thoughs is uploaded to https://aiam-rapport.se/index.php/pages/...upon_error |
Welcome Guest, Not a member yet? Register Sign In |