• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Store username and password in session is it safe?

#1
[eluser]Kency[/eluser]
Hello everyone !

Im new in Codeigniter, i try to write a small project with codeigniter.

And i want show some function to user who has roles to view

my database structure :

Table Group

Quote:Groupdid int(11)

Groupname varchar(255)

adminpanel tinyint(1) // user can login into adminpanel when it value is 1 else is 0

sitemanager tinyint(1) // some users can access to admin panel but sometimes they can't management site (turn the site on /off)

usermanager tinyint(1) //this function to manage user, can add/edit/delete user if value is 1

and my question is:

When user login into admin panel , i create a session to store username - password and logged(this parameter to check user login or not)

and when user login is true i use username and password store in session to pass it into a method to get permission of he or she can access to site management or user management or not.

Is it safe for my site or best way to pratice?

And everybody has any method or advices for me?




#2
[eluser]CroNiX[/eluser]
You shouldn't need to store a password in session. If they get authenticated (with the username/password), you should just mark that they are logged in (in session) and also their permissions. Not sure why you would need their password after they are logged in. Your modules would just use that info to allow/disallow activities after ensuring they are logged in.

#3
[eluser]Kency[/eluser]
Thank for you reply CroNix

Because users login into admin panel will have or haven't role to see some functions, therefore that i want to get the password in the admin controller ( because login controller get password from user when he/she type it into textfield) and i have to check if user management in his group is 1, he can view this function, otherwise he can't

and 1 more question is how to pass username through many controller?

i use global variable but i think it not a good way to pass username through every controller

because my view like:

Code:
<?php $this->load->view("admin/includes/header");?>

<?php $this->load->view("admin/includes/leftmenu");?>

<?php $this->load->view("admin/includes/navmenu");?>

<?php $this->load->view("admin/".$main_content);?>

<?php $this->load->view("admin/includes/footer");?>

just only $main_content is dynamic, but when controller A pass parameter $main_content into this class like:

Code:
$data['content'] = 'Content ABC';
$this->load->view('template',$data);

but when i do it, it will reload header - footer and navigtion menu.

if i use session to store admin each controller i must do the same thing to pass username into view (username is displayed in navigation menu class - it is a html template)

example:

when i pass username into view on controller site.php

Code:
$username;// global variable

class Admin extends CI_Controller {


    public function __construct()
    {
        parent::__construct();

        if(is_logged_in() != true){
            /* check user login or not if not redirect into error page*/
            redirect(base_url('admin/login/errorlogin'));
        } else{
                 $session_data = is_logged_in();
                 $uname = $session_data['username'];
                 $GLOBALS['username'] = $uname;

        }

    }



    public function loadGUI($content){
        $data['main_content'] = "main";
        $data['username'] =  $GLOBALS['username'] ;
        $this->load->view("admin/includes/template",$data);
    }

my code snippet like above, you can see, in a controller above when i want to show username of user i must create global variable and do the same thing like controller above, it take may times.

and as i mention before, user Tom login into admin panel, but Tom can't not see user management. and user Sisi login into admin with role admin she can see whatever.

How to handle it , just pass 1 time but use many time?

thank you very much

#4
[eluser]ojcarga[/eluser]
Why don't you just get the role ID stored in session and by that way you validate if the user have or not permissions??
As @CroNiX said, you shouldn't..

And yo can manage the username through the controllers using session too, not global variables.

#5
[eluser]Kency[/eluser]
thank for you reply @ojcarga

but how to manage username by session?

as you can see is_logged_in() is store session of user login when user login it return username otherwise it will redirect.

is_logged_in code is:

Code:
function is_logged_in() {
    // Get current CodeIgniter instance
    $CI =& get_instance();
    // We need to use $CI->session instead of $this->session
    $login = $CI->session->userdata('is_logged_in');
    $username = $CI->session->userdata('username');
    if (!isset($login)|| $login != true) { return false; } else { return $username; }
}

and the way i set my session for user login

Code:
$query =   $this->user_model->login_validate($username,$password);
            if($query != FALSE){
               $data = array(
                   'username' => $username,
                   'is_logged_in' => true
               );
             $this->session->set_userdata($data);
             redirect(base_url('admin/'));
            }else{
                $this->index();
            }

#6
[eluser]ojcarga[/eluser]
Sorry @Kency, I do not understand at all where your problem is.

You are getting the value the way it is
Code:
$login = $CI->session->userdata('is_logged_in');
And you are setting the value
Code:
$data = array(
                   'username' => $username,
                   'is_logged_in' => true
               );
             $this->session->set_userdata($data);

So, please, provide us with the right workflow of your application in order to help you.

#7
[eluser]Kency[/eluser]
ok finally i solved my problem with

$this->session->userdata('username')

i misunderstand when read the wiki of codeigniter , sorry ! Big Grin


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.