Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Jeffrey Way's CodeIgniter From Scratch: Day 6 – Login tutorial security question
Jeffrey Way's CodeIgniter From Scratch: Day 6 – Login tutorial security question
  • El Forum
    Guest
  •  
#1
10-28-2010, 09:44 PM

[eluser]Andy78[/eluser]
In Jeffrey Way's tut he creates a login system that just uses the cookies to store session data. he states that it can be enhanced and made more secure by using the database but does not go into it.

Now using the database as far as i can tell is just a matter of creating the table as per this

CREATE TABLE IF NOT EXISTS `ci_sessions` (
session_id varchar(40) DEFAULT '0' NOT NULL,
ip_address varchar(16) DEFAULT '0' NOT NULL,
user_agent varchar(50) NOT NULL,
last_activity int(10) unsigned DEFAULT 0 NOT NULL,
user_data text NOT NULL,
PRIMARY KEY (session_id)
);

and then setting this in the config file: $config['sess_use_database'] = TRUE;

How much of an effect on security does this actually have?

What else would i really be looking to do to enhance the login session security outlined in that tut?
  • El Forum
    Guest
  •  
#2
10-28-2010, 10:11 PM

[eluser]tonanbarbarian[/eluser]
CI session code does NOT use the normal PHP session handlers.
The normal PHP session handler stores session information on the server and provides a Session ID that is stored in a cookie. On each request that session ID is looked up and the correct session file is opened and the data retrieved.

CI stores the session data in the cookie. This means that if you are storing information about the user account in the session that information is sent back and forth across the web between the browser and the server with each request.

CI database sessions work more like the PHP session in that the session data is stored in the database and not stored in the cookie

ultimately what this means is that if you do not used the database you are restricted to how much data you can store in the session
cookies can hold a maximum of 4k of data. The session data is serialised which expands the amount of space it needs significantly
so realistically you may only be able to store 1 or 2k of data in the session if using cookies rather than database.

if you are NOT using database then you really should always turn on encryption in the session otherwise the session data is sent in the clear and that could be a security risk




Theme © iAndrew 2016 - Forum software by © MyBB