The best way for login system

[eluser]oddman[/eluser]
Louis w - that's not really very secure. If someone were to latch onto that session, they'd have immediate access to your system. Usernames and passwords (even encrypted) should never be stored in a session.

[eluser]frrose[/eluser]
oh
i am really confuse now !!

what should i do to have a good system and very good secure

you all told me
but your answer are different
till now i dont know what to do

[eluser]Colin Williams[/eluser]
Just store a "flag" in the session that the user is logged in. Use constants for the key and value so they can be nonsensical but still read well in code.

[eluser]Thorpe Obazee[/eluser]
[quote author="oddman" date="1240461905"]Louis w - that's not really very secure. If someone were to latch onto that session, they'd have immediate access to your system. Usernames and passwords (even encrypted) should never be stored in a session.[/quote]

I agree.

Another option is just keep the username and a salted password. Then on authentication, it is salted again and matched with the record. Still not that good but still better IMO.

[eluser]Thorpe Obazee[/eluser]
[quote author="frrose" date="1240485988"]oh
i am really confuse now !!

what should i do to have a good system and very good secure

you all told me
but your answer are different
till now i dont know what to do [/quote]

You can check out the other auth systems available and think how they are implementing them then figure out how to work on your own.

[eluser]louis w[/eluser]
[quote author="oddman" date="1240461905"]Louis w - that's not really very secure. If someone were to latch onto that session, they'd have immediate access to your system. Usernames and passwords (even encrypted) should never be stored in a session.[/quote]

I can see where you are coming from but what would you suggest that I store in the session instead? If you store just loggedin=1, or store some kind of hash key (with a look up db in the application) then if someone were to latch onto the session they would have immediate access to the system too.

And to reply to bargainph, I do store the encrypted (and salted) password in the session. I would never store the raw password.

[eluser]Rey Philip Regis[/eluser]
I think you should check out other auth libraries. I recommend Zend Auth, its a nice auth library and very flexible. I know its a rival of CI, but its a good library and its loosely coupled so you can eaily use it in your projects without having to implement all the functions in Zend.

Try it.

[eluser]Thorpe Obazee[/eluser]
[quote author="louis w" date="1240514311"]
And to reply to bargainph, I do store the encrypted (and salted) password in the session. I would never store the raw password.[/quote]

lol. of course I knew that :-P

What I was tried to suggest was different approach.

[eluser]sfurrh[/eluser]
i'm new to CI and don't use php often but i am getting back into it.

there is a concept for security that i have used in java sites utilizing spring framework called an "interceptor". the interceptor allows me to specify in one place the transactions that need to pass through a particular class (i'm guessing the equivalent of a "hook" in ci). that class can throw an error, redirect, or allow the request to pass to the intended controller. in ci i have been able to implement this except for the redirect piece. if i load a view (like a login view) because the user is not authenticated then it still loads the intended controller also. i can show_error but i would like to redirect the user to a login page. what is the best way to do that?

thanks

[eluser]rufnex[/eluser]
Look at that .. this is a fine starting point:

http://net.tutsplus.com/articles/news/co...y-6-login/