Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming User Login
User Login
  • El Forum
    Guest
  •  
#1
09-19-2012, 07:01 PM

[eluser]malzahar[/eluser]
This is more of a general PHP / server question than directly codeigniter but what is the best practice for storing user information in cookies? For example, I have an application that has regular members and administrators. If a user is logged in do I store their username in the cookie and likewise if it's an administrator do I store something like "is_admin" in the cookie? This seems insecure as someone could edit a cookie to give them administrator access.

What is the best practice for logged in users?

Thanks.
  • El Forum
    Guest
  •  
#2
09-19-2012, 07:46 PM

[eluser]xerobytez[/eluser]
The best way in my opinion is to store user info like username, group etc in a database. Then assign a unique identifier to the record like a 32 length alpha numeric string and then set that in the cookie. Codeigniter already has this functionality built right into the session class. Take a look at the "Saving session data to a database" section at http://ellislab.com/codeigniter/user-gui...sions.html
  • El Forum
    Guest
  •  
#3
09-21-2012, 09:57 AM

[eluser]malzahar[/eluser]
So I'm assuming the process might looking something like a user submitting a login form with their username and password, after validating creating a cookie containing a session_id and a record in the session database with the session_id, user_id, and is_logged_in boolean value. Then whenever the user navigates to logged in pages or tries to do member only actions comparing the cookie value to the session record value. If the values are the same retrieve the user information from the user_id that is also stored in the session table?

Sorry if I'm not getting it completely just trying to make sense out of it in my head! Thanks for all of your help.
  • El Forum
    Guest
  •  
#4
09-21-2012, 11:38 AM

[eluser]xerobytez[/eluser]
Yup, you got it. And as an added measure I would generate a new session ID for each user every 5 mins or so and then update the session record in the DB and the cookie. That way if a logged in user gets their cookie stolen somehow it will only be good for a max of 5 mins before the session ID updates and the old one becomes invalid.
  • El Forum
    Guest
  •  
#5
09-21-2012, 11:40 AM

[eluser]malzahar[/eluser]
Awesome. Thanks again.




Theme © iAndrew 2016 - Forum software by © MyBB