• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Session Problem

#11
The thing is, no one is sure if you have a session problem or a coding problem.

It seems like you have a coding problem.

Also, people are concerned at the lack of security your code is showing but I am going to guess you have simplified your code for the sake of the question. Of course you should never store a users password in a database. That would be the worst possible thing you can do. You should store a password hash using a strong one way hashing algorithym such as the one php provides: http://php.net/manual/en/function.password-hash.php

When a user submits their password you hash the submitted value and look that up with their username and if you get a match, set an identifier in their session, like user_code or something that changes on each login, (not their id or username). Then at each logged in page you check that is set (indicating they are logged in) and use the code to identify the user details (like user name). So to fake the entry they would need the session code, the user_code and if set the same ip address. You then do a lookup expecting only a single row to be returned, and using ->row_array or some similar way access the returned result set.

So the first thing is to test your sessions. Add this to your controller:

Code:
$this->output->enable_profiler(TRUE);

You will see all sorts of great info at the bottom of your page. One of them is the session data. Take a look and see what it says. Does it match what you expected. Try adding some session data to test the output.

Code:
$_SESSION['test_item'] = 'My session data';

Now take that line out and refresh the page and it should still be in your session data, as we have not unset it yet.

Go to a new tab/browser and reload the page. This will be a new session, so the session data should not be there.

If your sessions are working, you should now not see your test data.

If you are unfamiliar with authorization security, use a CI auth library of some sort. I would recommend both community auth and ion auth but there are others that are very good too.
Reply

#12
(04-30-2017, 04:00 AM)InsiteFX Wrote: Are you hashing the password before checking it with the hashed password in the database?

Yes I am hashing it.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.