Question about Session class and using the database.

[eluser]Zorancho[/eluser]
Hi there!
I am using the Session class and i could see from the code that it is checking if the session id stored in the user browser as cookie is same as the one in the database and if they are not the session will be destroyed.
There are same keys in the database and in the browser.
After loging a user, i am adding for example: logged_in => true and user_id => 234 in the session in the browser. What if i add two more same fields in the ci_session table for logged_in and user_id and then do additional checking when redirecting the user to sites that require logged in status? Will it make my application more secure or it is just a waste of time?

[eluser]Jondolar[/eluser]
It is probably a waste of time because the session key would be very difficult to guess which means someone would need access to the cookie (from browser, packet sniff, etc). If they have that, then they have all the other data in the cookie as well.

I recommend you store all private data in the database and use the sessionid in the cookie only.

[eluser]Zorancho[/eluser]
Does that mean that i will have to use comparison between the session_id from the cookie and the database when i need to get the current logged in user at the site? It is my only option i guess, correct me if i am wrong.

[eluser]Jondolar[/eluser]
Yes, you use the cookie to retrieve the correct record in the DB. You do have some options.

You could hash the key prior to storing it in the db and then hash the cookie after it is returned from the browser. That way if someone gets access to the cookie and the database they won't know which record the cookie is for. You can also encrypt the data you are storing in the database, possibly by storing the data in an array, serializing the array, and then encrypting the string.

If your data is not important (sortby field, search filter, page number, etc), you could store those in the cookie as well and save a trip to the db. You really only need to protect "protectable worthy" data

[eluser]Zorancho[/eluser]
Yes i understand that, but still it's bit confusing to me.
I am sure that if i use $config['sess_encrypt_cookie'] = TRUE, then it is encrypting the cookie already, but do you say i should hash the cookie again before i put it into the DB and when i check it with the one from the browser i undo the hash(When i am doing checking for example for logged in user)?
I apologize if i am bothering too much.
Thanks again.

[eluser]Zorancho[/eluser]
And addition to it... User logs in, i put hashed session_id into his browser and corresponding one into my DB, but hashed again.. Is it that what you wanted to say? Or because i am using the encryption from the $config i don't have to do this?

[eluser]TheFuzzy0ne[/eluser]
Double hashing is a waste of resources and a waste of time. If your cookies are encrypted, I'd consider that to be about as secure as your cookies will get, short of sending cookies to the browser with a couple of bad-ass bodyguards.