Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion how safe is $this->session ?
how safe is $this->session ?
  • El Forum
    Guest
  •  
#1
07-14-2007, 05:38 AM

[eluser]Doosje[/eluser]
I'm seeing a lot of people using the internal session library where they store if an user is autenticated(and they didn't talk about sessions in the db).
But if i'm storing something like "auth=1" in there
and after that i do an 'var_dump($_SESSION)' i seee the 'auth=1' serialized
I would say that session is a cookie and can be easily tempered with..
Or am i wrong...
  • El Forum
    Guest
  •  
#2
07-14-2007, 09:20 AM

[eluser]Mirage[/eluser]
Basically you're right.

You can make it more secure by using the encryption functionality. Still doesn't make it impossible to hack, but it's a lot harder. Also, just because something is 'auth' you don't need to call it that. :-). Neither do you need to set it to 1. Encrypted or not - obfuscation an misdirection is a valid weapon too.

Finally, check out the PHPSession and other libraries that are out there to work with PHP Session object instead.

Cheers!
  • El Forum
    Guest
  •  
#3
07-15-2007, 04:17 AM

[eluser]Doosje[/eluser]
I'll head over to http://codeigniter.com/wiki/Native_session/
Thanks .. though i shoud mention it better in the documentation . ...
  • El Forum
    Guest
  •  
#4
07-15-2007, 04:23 AM

[eluser]Al James[/eluser]
You could also check out my personal choice: DB_Session

http://codeigniter.com/wiki/DB_Session/

Its basically the same as Native_Session, but it stores everything in the DB. I would say thats better if you ever plan to roll out to a DB cluster.
  • El Forum
    Guest
  •  
#5
07-15-2007, 04:25 AM

[eluser]Doosje[/eluser]
I'll take a dive into it..
Thanks..it's probably what i need.
  • El Forum
    Guest
  •  
#6
07-15-2007, 05:33 AM

[eluser]WeeJames[/eluser]
I give another vote for db_session.




Theme © iAndrew 2016 - Forum software by © MyBB