How secure is this approach

[eluser]keevitaja[/eluser]
Hi,

when username and password match i add logged_in = TRUE to my session data which is stored in mysql. when i need to protect some pages i just check if logged_in === TRUE.


How secure is my system? all user inputs are escapet!

Code:

$config['sess_cookie_name']        = 'something_session';
$config['sess_expiration']        = 1200;
$config['sess_expire_on_close']    = TRUE;
$config['sess_encrypt_cookie']    = TRUE;
$config['sess_use_database']    = TRUE;
$config['sess_table_name']        = 'ci_sessions';
$config['sess_match_ip']        = TRUE;
$config['sess_match_useragent']    = TRUE;
$config['sess_time_to_update']    = 300;

$config['csrf_protection'] = TRUE;

[eluser]Joseph Wensley[/eluser]
I went through this on here once, I was doing the same thing you are but realized that if a user is deleted or something they could still be logged in because there session might still exist.

I think the best thing to do is just check the DB on each page load to make sure they are still logged in.


my orignal thread - http://ellislab.com/forums/viewthread/144607/