setting custom session variables

#1
[eluser]mistress_shiira[/eluser]
hi guys!
i just want your comments on this.i have a callback function on my validation that checks for the username and password.i tried to set the logged_in field to 1 on successful validation before directing it to another page.
i tried to do this:
Code:
$this->session->set_userdata('logged_in',1);
but when i look at my ci_sessions table,the logged_in field remained 0.

is session the correct way for me to do this or not?
basically,i dont want the users to be able to access other pages if they are not logged in.

thanks!

#2
[eluser]gtech[/eluser]
I have used the session for the same purpose and it works well. The session does time out (which is a good thing)

does this bit of code work (you should get a 1 displayed on the page)?
Code:
$this->session->set_userdata('logged_in',1);
print_r($this->session->userdata('logged_in'));

#3
[eluser]Michael Wales[/eluser]
Using the default sessions library - only the standard session data is saved to the database. Custom session is still save to the cookie - even if you configure it to use the database.

#4
[eluser]mistress_shiira[/eluser]
@gtech: yes i tried that and got 1 on the page as output but then
when i verify it on my database,the value does not change.

#5
[eluser]WolfgangA[/eluser]
I just wonder wether:

- Storing the userid (encrypted) in a cookie should be considered an security issue?
And if so:
- Wether it would make sense to extend the Session lib to support storing the user_id in the db?

Regards

Wolfgang

#6
[eluser]theswede[/eluser]
*bump*

Is it standard praxis to store variables such as 'is_logged_in' using the session lib? Does CI in any way prevent tampering of those cookies?

#7
[eluser]WolfgangA[/eluser]
You can use a session lib, that does store sessiondata (except the session_id of cause) in a database on the serverside.
You can also encrypt session data.

#8
[eluser]theswede[/eluser]
So it is dangerous to store sessions in this way?

#9
[eluser]tonanbarbarian[/eluser]
Technically if your session processing is just storing information the cookie it could be considered dangerous
But how often do you find a situation where someone has actually modified their cookie data?
The average visitor to your site would have NO CLUE how to modify the cookie data.

That said I prefer to put NOTHING in the cookie that is not needed. So if I can I will use a session library (like db_session) that stores all of the data on the server somewhere (in the case of db_session in the database) thus ensuring that the user cannot change any data except via the interface given in the website.

If all you are storing in the session is their choice of favorite colour or something innocent like that dont worry, but if you are storing anything to do with user authentication and validation it should not be in the cookie.
For authenticated sessions only a unique session id should be in the cookie.

Just my opinion

#10
[eluser]theswede[/eluser]
[quote author="tonanbarbarian" date="1199784497"]Technically if your session processing is just storing information the cookie it could be considered dangerous
But how often do you find a situation where someone has actually modified their cookie data?
The average visitor to your site would have NO CLUE how to modify the cookie data.

That said I prefer to put NOTHING in the cookie that is not needed. So if I can I will use a session library (like db_session) that stores all of the data on the server somewhere (in the case of db_session in the database) thus ensuring that the user cannot change any data except via the interface given in the website.

If all you are storing in the session is their choice of favorite colour or something innocent like that dont worry, but if you are storing anything to do with user authentication and validation it should not be in the cookie.
For authenticated sessions only a unique session id should be in the cookie.

Just my opinion[/quote]

Thank you, that is exactly what I wanted to know Smile


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.