• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Solved]Where to store user info after logging in

#1
[eluser]Sim00n[/eluser]
Hello,
My problem isn't complicated at all but it's more kind of an organization struggle.
I'm creating my first real Codeigniter application and I stopped at the point when I don't know what is the best way to store information about user.

After a user logs in I'm storing it's username and userlevel in a session (through database), but what about the other info like age, city, and ~ 20 others ... I think storing those in the session is too resource consuming so where else can I store them ? I don't want to call a function to retrieve it from database every time i need to use those information.
Any ideas ?
Best regards, Sim00n.

#2
[eluser]Aken[/eluser]
Put it in the userdata in the session database if it's something that you'll need on many pages. The session data is going to be summoned regardless, so it's a resource that is already at your disposal. And since you're using the database for storing the data, you have LOTS more room available for data as opposed to a cookie.

So the flow would be something like:

- User logs in.
- Data for that user is grabbed from the DB.
- Data is assigned to the session.
- Redirect or whatever is appropriate after login.

One thing that might help is you can serialize an object and attach it to a single userdata variable. So instead of saving 'name', 'age', 'city' and such to individual $this->session->userdata('age') type items, you can say:
Code:
$data = (object) array(
    'name' => 'Mike',
    'age' => 26,
    'city' => 'Milwaukee',
);

$this->session->set_userdata('info', serialize($data));

#3
[eluser]Sim00n[/eluser]
Aken thank you for you reply and for great advice.
The only thing I don't get is why to pass an object instead of regular array into set_userdata function ?
Thanks again,
Best Regards,
Sim00n.

#4
[eluser]Aken[/eluser]
You can set userdata in two ways:

1) Individually:
Code:
$this->session->set_userdata('name', 'Mike');

2) Multiple items at once, via array:
Code:
$data = array(
    'name' => 'Mike',
    'age' => 26,
    'city' => 'Milwaukee',
);

$this->session->set_userdata($data);

I'm simply offering a suggestion of storing data in a way that makes it easier to access in your application. If you store all of your 20+ info items via the array method #2, each one will be accessed via the following:
Code:
echo $this->session->userdata('name');
echo $this->session->userdata('age');

Instead, if you take all those items and put them inside an array or object, and then serialize it, you will effectively have a single string with a ton of data in it.
Code:
$info = (object) array(
    'name' => 'Mike',
    'age' => 26,
    'city' => 'Milwaukee',
);

$this->session->set_userdata('info', serialize($info));

Then, you can call that single item, assign it to a variable in your controller, and then access each item with MUCH less code.
Code:
$info = unserialize($this->session->userdata('info'));

echo $info->name;
echo $info->age;

The downside to this method is if you want to update one of those properties, you have to update your array/object, serialize it again then set the session data again. So you might not want to use it for flags such as if they're logged in or any other user data that might be dynamic while they are using your application.

#5
[eluser]Sim00n[/eluser]
That's actually awesome way of storing data, and that's how I'm going to do it.
Oh and one more question: If I'm using database for sessions, there is no way to hack it through lets say editing cookie's, Am I right ?

Best regards, Sim00n.

#6
[eluser]Aken[/eluser]
Only on the long shot that your hacker can spoof the session_id, IP address and user agent string of a logged-in user. Pretty unlikely. You can increase security by setting the "sess_encrypt_cookie" config item to TRUE. You could even encrypt all of your session data if you wanted to make it even more secure, but you would need to extend the session class with some custom code to make it do that automatically when accessing / modifying data.

#7
[eluser]Sim00n[/eluser]
Great - that's all I wanted to know. Thank you again.

#8
[eluser]arcreative[/eluser]
[quote author="Aken" date="1310980387"]Only on the long shot that your hacker can spoof the session_id, IP address and user agent string of a logged-in user. Pretty unlikely. You can increase security by setting the "sess_encrypt_cookie" config item to TRUE. You could even encrypt all of your session data if you wanted to make it even more secure, but you would need to extend the session class with some custom code to make it do that automatically when accessing / modifying data.[/quote]

IP can't be spoofed--you'll be pretty safe if you set the $config['sess_match_ip'] = TRUE; under config.php

#9
[eluser]Aken[/eluser]
It's possible, but unlikely. I included it, though, as those are the three items most commonly compared against to match a user's computer to its appropriate database session entry.

#10
[eluser]arcreative[/eluser]
Not to spoof an authenticated session--as an attacker isn't going to get the reply packets...

But while I'm here, it should probably be mentioned that IP matching is finicky in situations (especially mobile browsing) where the IP can change on a per-request basis. CI will drop the session every time the IP changes, so this should be considered when building your application!


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.