what do you store in your login cookie ?

[eluser]runrun[/eluser]
Given a login form compiled of email address and password. After login success, what do you store in your cookie content? What method you use to encode the content and why use it? and how do you validate the cookie when user go to must-login-pages ?

Do you utilize database when read login cookie ?

[eluser]mdvaldosta[/eluser]
I use encrypted database cookies and usually store anything I'll need regularly about the user so I don't have to query the database continuously. Usually things like usergroup permissions and first name.

[eluser]runrun[/eluser]
do you encode the first name ?

[eluser]mdvaldosta[/eluser]
The session library takes care of that. I just store/retrieve the data as normal.

[eluser]Federico Baña[/eluser]
I could use some help on this issue too.

I also encrypt sessions and store them into the database. Sessions have session id, username and password (along with some other app-related info) and on logged-only pages I re-check the session values against the database. This gives admins full control over who has access and who doesnt as they can change someone's pwd and take them out the system right away.

The issue here is that CI does 2 calls to the db, 1 comes with the built-in functionallity of the session library that checks the session_id in the cookie against the db every time, and the other is the one I have to do to compare my data against the users.

I noticed that the session lib sends the userdata to the database as a serialized array, but is there a way to save it as actual table fields? without creating a custom library?

[eluser]Madmartigan1[/eluser]
I only store the user id in the session, the user data refreshed once every page load.
This is the only way I could find that will allow me to force a logout on a deactivated user if they logged in before they were deactivated. This also solved the hassle of explicitly refreshing the user data whenever it changed.

@federico Baña: Take a look at unserialize() maybe?
http://php.net/manual/en/function.unserialize.php

[eluser]Federico Baña[/eluser]
Yes, thats what I use to get the info out of the db, but still, there're 2 db queries going on.

[eluser]runrun[/eluser]
guys how do you solve the problem remember me ? You know when user check remember me, the cookie should last a long time. But the session library doesn't have option to set the expire time. How do you overcome this ?

[eluser]nuwanda[/eluser]
I don't use CI sessions. I use native php sessions.

Regarding the whole thing about what gets checked and what doesn't, I have a user class that I load on every page request.

The class checks for a valid login session, retrieves the user data and sets properties. Then I can check for logged in status, user role, etc in each of my controllers.

The class also checks for a remember me cookie and if it exists, I check it against a stored db value: if it matches, I log the user in. At that point I also change the value of the remember me cookie and save the value to the db. That way, if the cookie is stolen or is invalid, the user is not logged in.

I used to worry about doing all this on every page load, but actually, it's no big deal. And since user validation is critical to any app, it just has to be done.

The advantage to checking things on every page load is that any changes to user data or status is always current.

[eluser]Atharva[/eluser]
[quote author="runrun" date="1293620922"]. But the session library doesn't have option to set the expire time. How do you overcome this ?[/quote]

In config.php , there is one variable $config['sess_expiration'] which if set to 0, the session will never expire.