Help with securing user authentication with session

[eluser]sdotsen[/eluser]
I don't use mysql so saving session info to the DB is out of the question. I do however use mongodb so if I had to manually save session info to the DB, so be it. However, I would like to know if the following is secure enough. Yes I realize I have to sanitize and add salt and all that good stuff to save the user's credentials, but this question is more about how to secure the authentication process.

Throughout my site, I have the following parameter that checks if a user is logged in.

Code:

if (Current_User::is_logged_in() {
   etc...
} else {
   redirect('login');
}

current_user.php

Code:

function is_logged_in()
{
        $logged_in = $this->session->userdata('logged_in');

        if(!isset($logged_in) || $logged_in != true)
        {
            echo 'You don\'t have permission to access this page. <a href="../login">Login</a>';
            return false;
            //die();        
        }
        return true;
}

So my function that checks the user credentials, sets the following info if the user inputs the correct username/password.

Code:

$userdata = array('username' => $records['username'], 'logged_in' => TRUE);                              
$logged_in = $this->session->set_userdata($userdata);

With that said, if I encrypt the cookie by making 'sess_encrypt_cookie' TRUE, will I essentially avoid any possible tampering? Preferably I would like to save the session data to the DB, but in this case I can't.

[eluser]Colin Williams[/eluser]
I'd use a better flag than true, like a salted hash of the username

Code:

'logged_in' => md5($records['username'] . 's0m3cr@zi35alT');

But without storing session data elsewhere, it's still not that safe. You might consider native PHP session handling, since a DB is out of the question

[eluser]sdotsen[/eluser]
[quote author="Colin Williams" date="1264481619"]I'd use a better flag than true, like a salted hash of the username

Code:

'logged_in' => md5($records['username'] . 's0m3cr@zi35alT');

But without storing session data elsewhere, it's still not that safe. You might consider native PHP session handling, since a DB is out of the question[/quote]

I take it the value of the cookie being encrypted isn't all that secure either? I looked at the session class and I think I can hack it so that I can add my own database manipulation. So let's say I was using mysql or managed to get mongodb to work with this. What should I be doing? Check for the session using the session_id generated by CI (against the value in the DB)?

[eluser]Colin Williams[/eluser]
Yes. Your safest bet is to only store the session ID in the cookie. Also, I think CI resets the ID on each request to prevent hijacking (updates both the cookie and database reference, of course)

[eluser]sdotsen[/eluser]
Thanks!

Just to clarify. My "is_logged_in" function should now be querying $this->session->userdata['session_id'] against whatever is in the DB, correct?

[eluser]Colin Williams[/eluser]
Well, it's better for the Session class to manage that (retrieving data from the DB and storing it locally.) That way you can still just test the value of $this->session->userdata('is_logged_in') in your controller, or wherever.

Upon load, the session class should query the database to retrieve all the data. Take a look at the current Session class and mimic what they do.

[eluser]sdotsen[/eluser]
oh, so basically continue doing what i'm doing but work on getting the session class to read/write to my database?

[eluser]Colin Williams[/eluser]
Yep. Exactly.