• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
login and database sessions

#1
[eluser]Unknown[/eluser]
Hello.. first of all I'm pretty new with codeigniter and my english isn't really good.. I'll try be clear as possible.
I don't really understand how CI sessions works..
I make an example so you can understand better


login page (simplified):

Code:
if($this->login())
{
     $this->load->library('session'); (it saves on ci_session table: session_id, ip_address, user_agent, last_activity)
     $this->session->set_userdata('user_id', $this->id); (user_id used for set the page based on it, (ex: user profile?))
     redirect('protectpage');
}



so now, to show the page only to logged users I did something like that:
protectpage:
Code:
$this->load->library('session'); (it saves on ci_session table: session_id, ip_address, user_agent, last_activity)

if($this->session->userdata('session_id') && preg_match("/^[a-zA-Z0-9]{32}$/", $this->session->userdata('session_id') ))
{
    $this->db->from('ci_sessions');
    $this->db->where('session_id', $this->session->userdata('session_id'));
    $query = $this->db->get();
            
    if($query->num_rows() > 0)
    {
          echo "logged...";
    }
}

if I do this, the user will always be logged because when I load the session library it saves a new session on the database/cookie..
I guess I should do in login page something like that
$this->session->set_userdata('logged_in', TRUE);

but how much this is secure? i mean if someone when logged change the ci_session cookie with another user_id whats will happens?

and last question..
the session_id changes every 5 minutes but the old session doesnt be removed immediately.. it will be removed based on random time right?

thanks for help ^^

#2
[eluser]Pascal Kriete[/eluser]
You don't need to query the session table manually. In the current version, the session database table is used to verify the session (this is done automatically). The cookie is appended with a unique fingerprint based on the session contents. Basically means that if someone tries to tamper with the cookie, CI will automatically trash it.

Garbage collection does NOT run every time, that is correct (defaults to 5% of the time).
Code:
$this->load->library('session');

// User id was set after login, so if they have that they're authenticated.
if($this->session->userdata('user_id'))
{
          echo "logged in...";
}

#3
[eluser]Unknown[/eluser]
thank you very much


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.