[eluser]sdotsen[/eluser]
I don't use mysql so saving session info to the DB is out of the question. I do however use mongodb so if I had to manually save session info to the DB, so be it. However, I would like to know if the following is secure enough. Yes I realize I have to sanitize and add salt and all that good stuff to save the user's credentials, but this question is more about how to secure the authentication process.
Throughout my site, I have the following parameter that checks if a user is logged in.
Code:
if (Current_User::is_logged_in() {
etc...
} else {
redirect('login');
}
current_user.php
Code:
function is_logged_in()
{
$logged_in = $this->session->userdata('logged_in');
if(!isset($logged_in) || $logged_in != true)
{
echo 'You don\'t have permission to access this page. <a href="../login">Login</a>';
return false;
//die();
}
return true;
}
So my function that checks the user credentials, sets the following info if the user inputs the correct username/password.
Code:
$userdata = array('username' => $records['username'], 'logged_in' => TRUE);
$logged_in = $this->session->set_userdata($userdata);
With that said, if I encrypt the cookie by making 'sess_encrypt_cookie' TRUE, will I essentially avoid any possible tampering? Preferably I would like to save the session data to the DB, but in this case I can't.