Welcome Guest, Not a member yet? Register   Sign In
why query database when checking if user is logged in?
#1

[eluser]brazilius[/eluser]
hi everybody
i'm building auth part of my application and examening different libraries
so this is a function from Erkana Auth
Code:
function try_session_login() {
        if ($this->CI->session->userdata('user_id')) {
            $query = $this->CI->db->query('SELECT COUNT(*) AS total FROM users WHERE id = ' . $this->CI->session->userdata('user_id'));
            $row = $query->row();
            if ($row->total != 1) {
                // Bad session - kill it
                $this->logout();
                return FALSE;
            } else {
                return TRUE;
            }
        } else {
            return FALSE;
        }
    }
and one thing i can't get is why query database if encrypted session data can be used
and we can be sured that userdata can't be altered and user_id we get from session->userdata is a true and existing value.
And if the value is set - user is logged in and we know user_id.
Anyway it's much faster then asking db.
May be i missed something when reading session manual.
Thanks in advance.
#2

[eluser]Michael Wales[/eluser]
Quote:and we can be sured that userdata can’t be altered
How are you so sure the data hasn't been altered? Encrypted !== trusted.

In the particular example you list - what if you have banned a user, or deleted a user, while they are browsing your site? If you don't check for the record they can continue using your site until their session expires.

A much better query would involve the storage of user_id and some other piece of information (password, salt, etc). This way it decreases the chances of a malicious user just changing a numerical value (even if it's encrypted) and accessing someone else's account.
#3

[eluser]brazilius[/eluser]
Quote:
Quote:and we can be sured that userdata can’t be altered
How are you so sure the data hasn’t been altered? Encrypted !== trusted.
this is from session class user guide
Quote:If you have the encryption option enabled, the serialized array will be encrypted before being stored in the cookie, making the data highly secure and impervious to being read or altered by someone.

Quote:In the particular example you list - what if you have banned a user, or deleted a user, while they are browsing your site? If you don’t check for the record they can continue using your site until their session expires.
this reason is enough for me to check db every time




Theme © iAndrew 2016 - Forum software by © MyBB