All session info from cookie to database

[eluser]Grind[/eluser]
After a login, is it possible to only store the session id in a cookie and the rest (user id, group id etc.) together with the session id in the database? This because I want a little bit extra security, now I store the user id and the group id in a cookie to validate the rights the user has in the system. But that value in the cookie could be very easily changed, isn't it? That's why I want to check the rights the user has with a session id in the cookie with the values in the database.

How is this possible?
Thanks in advance.

[eluser]Thorpe Obazee[/eluser]
The Session Class has an option to store information on the database. The Session Class handles the verification(IP, user-agent, database(if you use the DB option) etc) whenever you ask for data. You can easily change the data just like how your normally do with CI Sessions.

When session data is available in a database, every time a valid session is found in the user's cookie, a database query is performed to match it. If the session ID does not match, the session is destroyed. Session IDs can never be updated, they can only be generated when a new session is created.

To validate the user rights, you just have to check user rights on on your protected pages.

[eluser]Grind[/eluser]
Thanks for your reply. I tried enabling the usage of a database in the config file, but how can I pass data to the database (the user rights etc.) without passing it to a cookie? I just want to have the session id in a cookie and the user rights in the database. It's not clear to me how to achieve this.

[eluser]Thorpe Obazee[/eluser]
everything will be passed to the database. I *think* the session_id is stored in the database for verification purposes. In the end, you'll have 1 cookie copy and one database copy of your session which I think is best when verifying validity of the cookie copy.

Option 2
If you don't like that option and really really really really really really really really really really don't want any database copy of your session_id in the database, you'd have to manually check user_rights on every page using a user_id like so.

Code:

// Your controller
function is_logged()
{
     if ( ! $this->user_model->check_user_rights($this->session->userdata('user_id'), 'admin'))
    {
        redirect('user/login');
    }
    // continue code here.....
}

Code:

// User_model

function check_user_rights($user_id, $role)
{
    return $this->db->join('roles_users', 'roles_users.user_id = users.id', 'LEFT')
        ->join('roles', 'roles.id = roles_users.role_id', 'LEFT')
        ->where(array('users.id' => $user_id, 'roles.name' => $role))
        ->count_all_results('users');
}

That is assuming you have a table like so:

users
id
username
password

roles
id
name

roles_users
role_id
user_id

This is of course untested. But that's the logic behind it.

[eluser]Grind[/eluser]
Sorry, I now see I mistyped my message.
I want a cookie, only with the session id. And I want a database with a session id and all the info CI stores in the database by default, along with the user id and the group id. Just it's then like so:

cookie
sesion_id

database
session_id
ip_address
user_agent
last_activity
user_data
user_id
group_id

The user_data in the database contains the userdata stored in the cookie, but I don't want it in the cookie: I just want a session id in the cookie. So I think that field isn't necessary.

Maybe this is a bit clearer (:

[eluser]Colin Williams[/eluser]
Check the Wiki. There is a session class, DB_Session I think, that behaves in this manor. All the database options in CI does is replicate the cookie in the database and then validate the cookie sess id against the database. The other option is to encrypt session data. It's still in the cookie but it can't simply be read. I too wish CI behaved more like the contrib DB_Session