Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming CI Session Encryption and Database Field Length
CI Session Encryption and Database Field Length
  • El Forum
    Guest
  •  
#1
03-18-2011, 04:45 AM

[eluser]Paul Skinner[/eluser]
I've been reading up on CI Sessions from the user guide and have found the guide to be a little lacking on the subject.

It suggests encryption of the session and storing the session data in a database using the following SQL code:

Code:
CREATE TABLE IF NOT EXISTS  `ci_sessions` (
session_id varchar(40) DEFAULT '0' NOT NULL,
ip_address varchar(16) DEFAULT '0' NOT NULL,
user_agent varchar(50) NOT NULL,
last_activity int(10) unsigned DEFAULT 0 NOT NULL,
user_data text DEFAULT '' NOT NULL,
PRIMARY KEY (session_id)
);

So is this code taking in to account the possibility of encryption, or do I need to up the varchar and int sizes to take in to account the encryption (I presume it's stored encrypted in the DB?)?

Also, if I store my own data in the session (i.e. user_logged_in = true) I presume I need to add a field to the DB for this..?

Also also, is it secure enough to store whether or not a user is a "super admin" using the encrypted cookies? I realise the answer to this question is debatable, but as a general rule is it ok for a site where security is important, but not that important.

Thanks in advance for any help.


Paul
  • El Forum
    Guest
  •  
#2
03-18-2011, 05:50 AM

[eluser]Paul Skinner[/eluser]
Ok, so I've discovered that it's *not* encrypted in the database, and that I *don't* have to add any extra fields to the database.

So, I'm now guessing that only the session cookie is encrypted?
So my final question still stands: is this sufficiently secure for setting whether or not a user is a super admin?
  • El Forum
    Guest
  •  
#3
03-18-2011, 07:17 AM

[eluser]InsiteFX[/eluser]
As far as data size it is the user_data field that stores all your session stuff!
You can change the size by using either mediumtext or longtext.

You would encrypt all your passwords in the session!

InsiteFX
  • El Forum
    Guest
  •  
#4
03-18-2011, 11:19 AM

[eluser]guidorossi[/eluser]
I was wondering the same thing, but then I realize that I don't even need to store any sensitive information in the user_data field...

are you storing sensitive information like passwords in the session database?
  • El Forum
    Guest
  •  
#5
03-18-2011, 11:26 AM

[eluser]Paul Skinner[/eluser]
No, I am only storing is_admin_user and is_logged_in
  • El Forum
    Guest
  •  
#6
03-18-2011, 11:40 AM

[eluser]WanWizard[/eluser]
[quote author="Paul Skinner" date="1300463150"]Also also, is it secure enough to store whether or not a user is a "super admin" using the encrypted cookies? I realise the answer to this question is debatable, but as a general rule is it ok for a site where security is important, but not that important.[/quote]
Please read this sentence again.

Are you actually saying that your sites give users (admin or not) direct access to all database tables? Because if the answer is 'No', how can a user access data in the sessions table?
  • El Forum
    Guest
  •  
#7
03-18-2011, 11:42 AM

[eluser]WanWizard[/eluser]
[quote author="guidorossi" date="1300486743"]are you storing sensitive information like passwords in the session database?[/quote]
Who cares?

You have to store them somewhere (otherwise nobody can login), logically in a users table. From a security point of view it doesn't really matter if the same data is also (temporarily) stored in other tables.
  • El Forum
    Guest
  •  
#8
03-18-2011, 11:55 AM

[eluser]Paul Skinner[/eluser]
[quote author="WanWizard" date="1300488010"][quote author="Paul Skinner" date="1300463150"]Also also, is it secure enough to store whether or not a user is a "super admin" using the encrypted cookies? I realise the answer to this question is debatable, but as a general rule is it ok for a site where security is important, but not that important.[/quote]
Please read this sentence again.

Are you actually saying that your sites give users (admin or not) direct access to all database tables? Because if the answer is 'No', how can a user access data in the sessions table?[/quote]

...no.

Perhaps I may be misunderstanding sessions, but at some point here aren't these sessions stored on the user's local machine (as a session cookie)? Or is it only their session_id that's stored; and only that, (optionally) their IP, and part of their User Agent string that's checked against, and the rest is just being pulled via an un-seen query in the sessions library when I call
Code:
$this->session->userdata('is_logged_in')
?
  • El Forum
    Guest
  •  
#9
03-18-2011, 01:04 PM

[eluser]InsiteFX[/eluser]
NO! user_data form the session user_data field is stored in the session cookie!

What is Session Data?

A session, as far as CodeIgniter is concerned, is simply an array containing the following information:
The user's unique Session ID (this is a statistically random string with very strong entropy, hashed with MD5 for portability, and regenerated (by default) every five minutes)
The user's IP Address
The user's User Agent data (the first 50 characters of the browser data string)
The "last activity" time stamp.

That is all that is stored in the session cookie unless you are not using database sessions then the user_data is stored in the cookie which has a 4Kb Limit!

This is why most users use the database sessions.

InsiteFX
  • El Forum
    Guest
  •  
#10
03-18-2011, 07:56 PM

[eluser]Paul Skinner[/eluser]
Fine. That's explained it.

Personally, I don't believe the user guide clarifies this enough; I would like to add my vote to furthering the details on this particular subject in the user guide.

Thanks,

Paul




Theme © iAndrew 2016 - Forum software by © MyBB