The best way for login system |
[eluser]oddman[/eluser]
Louis w - that's not really very secure. If someone were to latch onto that session, they'd have immediate access to your system. Usernames and passwords (even encrypted) should never be stored in a session.
[eluser]frrose[/eluser]
oh i am really confuse now !! what should i do to have a good system and very good secure you all told me but your answer are different till now i dont know what to do
[eluser]Colin Williams[/eluser]
Just store a "flag" in the session that the user is logged in. Use constants for the key and value so they can be nonsensical but still read well in code.
[eluser]Thorpe Obazee[/eluser]
[quote author="oddman" date="1240461905"]Louis w - that's not really very secure. If someone were to latch onto that session, they'd have immediate access to your system. Usernames and passwords (even encrypted) should never be stored in a session.[/quote] I agree. Another option is just keep the username and a salted password. Then on authentication, it is salted again and matched with the record. Still not that good but still better IMO.
[eluser]Thorpe Obazee[/eluser]
[quote author="frrose" date="1240485988"]oh i am really confuse now !! what should i do to have a good system and very good secure you all told me but your answer are different till now i dont know what to do [/quote] You can check out the other auth systems available and think how they are implementing them then figure out how to work on your own.
[eluser]louis w[/eluser]
[quote author="oddman" date="1240461905"]Louis w - that's not really very secure. If someone were to latch onto that session, they'd have immediate access to your system. Usernames and passwords (even encrypted) should never be stored in a session.[/quote] I can see where you are coming from but what would you suggest that I store in the session instead? If you store just loggedin=1, or store some kind of hash key (with a look up db in the application) then if someone were to latch onto the session they would have immediate access to the system too. And to reply to bargainph, I do store the encrypted (and salted) password in the session. I would never store the raw password.
[eluser]Rey Philip Regis[/eluser]
I think you should check out other auth libraries. I recommend Zend Auth, its a nice auth library and very flexible. I know its a rival of CI, but its a good library and its loosely coupled so you can eaily use it in your projects without having to implement all the functions in Zend. Try it.
[eluser]Thorpe Obazee[/eluser]
[quote author="louis w" date="1240514311"] And to reply to bargainph, I do store the encrypted (and salted) password in the session. I would never store the raw password.[/quote] lol. of course I knew that :-P What I was tried to suggest was different approach.
[eluser]sfurrh[/eluser]
i'm new to CI and don't use php often but i am getting back into it. there is a concept for security that i have used in java sites utilizing spring framework called an "interceptor". the interceptor allows me to specify in one place the transactions that need to pass through a particular class (i'm guessing the equivalent of a "hook" in ci). that class can throw an error, redirect, or allow the request to pass to the intended controller. in ci i have been able to implement this except for the redirect piece. if i load a view (like a login view) because the user is not authenticated then it still loads the intended controller also. i can show_error but i would like to redirect the user to a login page. what is the best way to do that? thanks
[eluser]rufnex[/eluser]
Look at that .. this is a fine starting point: http://net.tutsplus.com/articles/news/co...y-6-login/ |
Welcome Guest, Not a member yet? Register Sign In |