Welcome Guest, Not a member yet? Register   Sign In
Should session_regenerate_id be used in CI 3?
#1

Hello. I want to make my site more secure and wonder if/when one should use session_regenerate_id in CI 3.
Reply
#2

(This post was last modified: 09-04-2020, 07:02 PM by php_rocs.)

@valema,

When you say make your site more secure what have you already implemented to make it secure in it's current state? In regards to your question it depends how you plan to use session variables.
Reply
#3

Hello @php_rocs.
Thanks for answering. The application is online. For time reporting. Users can't get accounts from outside. Only existing user can register another user.

Pages exposed to public: log-in page and forgot-password page.

The login search db for username etc.
If login failes, ip is saved in db, and to many failures blocks ip.
When using forgot-pw-page an 'access-token' is baked in so a request must come from 'my' form (then I found CI has such security functions out of the box).
For logged in users:
There are 3 levels, superadmin company-boss, employed. Each controller function has a level check that guards level-wise (I started coding a 'concern-handler' that would protect 'resources' like userdata). A 4:th level is under development.

I don't use bindning in queries.
I make many queries in raw sql.

On log out, I delete all session...

In session I save:
Username
Userid
Site language
If a time report is started but not ended (work check in/out).

Those features I recall now.
Reply
#4

@valema,

NOT binding your queries could be a big security hole. It opens you up to possible SQL injections.
Is your site https? If not then I would get the SSL cert and implement it for your site. This will also help your site to be listed higher at Google (https://fourdots.com/blog/why-you-need-s...et-it-2169).
Reply
#5

Ok. Thanks. Yes it's https.
Reply
#6

(This post was last modified: 10-14-2020, 01:26 AM by valema.)

I had a case where I used a "write_log" function that wrote to database, since I could not use error_log for a while.

Then I had lines similar to

$data = array("check_out_time" => "2020-01-01 20:00");

$this->db->where('id', 2);
$this->user_model->write_log("Will update post");
$this->db->update('time_reports', $data);

I damaged 285 lines of data in database.

The "where" call was lost after calling the "write_log".

---

Edit/note:

I can in general avoid such accident by avoiding Db-update. My model was a 'reports' model (for work - stamping in/out) having something similar like: starting_time, ending_time, staff_id, job_id. The design forces me to update a row when entering just the ending_time (at the check out). I can follow the normalization rules and make the 'check' atomic. The table would be split into two:

A. Report (id, staff_id, job_id)
B. Check (id, direction, time_of_reporting, report_id)

Direction would be 'in' or 'out'.
With such design the stamping out would mean an insert (not an update).

My other thoughs is uploaded to https://aiam-rapport.se/index.php/pages/...upon_error
Reply




Theme © iAndrew 2016 - Forum software by © MyBB