Is FLASHDATA visible to user?

[eluser]echo_boom[/eluser]
I am using flashdata to pass info from one CONTROLLER function to another CONTROLLER function with a VIEW in between.

I figured out this is a good way to pass info because the flashdata gets CLEARED after the loading of destination CONTROLLER function and user is NOT able to refresh browser and FALSELY increment a table field.

I originally passed value from CONTROLLER function to VIEW and then as a PARAMETER (as URI segment) to the destination CONTROLLER function BUT the user was able to keep hitting refresh in browser on the destination CONTROLLER function and completely mess up inventory count for product by incrementing 'total_count' field on each refresh.

So I was wondering if you store user’s table ID in flashdata if they are able to somehow read that info on their frontend and do something malicious with it.

I was worried user might somehow plug in this ID and do somekind of manual refresh/reload process to keep incrementing the inventory field.

[eluser]WanWizard[/eluser]
It depends.

If you use cookie based session, your cookies should be encrypted, and in that case they can't. If you have disabled encryption, then everything is in the clear.

If you use server based session storage (either DB or one of the other solutions available as third-party) no data is sent to the client apart from the session id and some control data, so then the answer is no too.

[eluser]echo_boom[/eluser]
[quote author="WanWizard" date="1344798472"]It depends.

If you use cookie based session, your cookies should be encrypted, and in that case they can't. If you have disabled encryption, then everything is in the clear.

If you use server based session storage (either DB or one of the other solutions available as third-party) no data is sent to the client apart from the session id and some control data, so then the answer is no too.[/quote]

Thank you very much for the quick response.:-)

In my config.php:

Code:

$config['sess_encrypt_cookie'] = FALSE;

However, I am storing sessions to database:

Code:

$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';

In the table 'ci_sessions' I have ONLY these fields: session_id, ip_address, user_agent, last_activity, user_data.

In this config environment, will the website visitor be able to see what the application stores inside of CI FLASHDATA?

Why or why not?

[eluser]WanWizard[/eluser]
As you use the database to store your session data, no data is send to the client.

But by not encrypting the session cookie, you've opened yourself to session hijacking, so don't switch that off.