DB2 Session / user authentication

[eluser]Nial[/eluser]
I'm new to CodeIgniter, but am absolutely loving it so far! I've created a nice user registration script and am now looking to allow users to login. This is easy, but I'm confused with regards to session authentication. I found DB2 Session on the CodeIgniter wiki and liked the look of it, but have a few questions.

The first is: should I just place the code in my controller folder, and include it manually:

Code:

$db2session = new DB2_Session();

Or is there a special 'plugin' location that I should be slotting it into?

While I've found most of the CodeIgniter documentation to be excellent, DB2 Session's was a little sparse. I take it I'd call the sess_create() method when the user successfully logs in. And then instantiate DB2_Session in each of the controller constructors where it is necessary? To verify a users authenticity, I'd then use sess_read()?

Provided I've got the right idea: is this substantial, security wise?

[eluser]oddman[/eluser]
Without actually looking inot the DB2_Session class, I assume this is for sessions stored in a database? If so, CodeIgniter has built in support for database-driven sessions. Any sessions driven by a database are a good improvement in security, but as to your other questions, unfortunately I don't know

[eluser]Rick Jolly[/eluser]
DB2_Session is a library so see the CI documentation about creating your own libraries.

Its api is the same as CI's session class, so use CI's documentation.

DB2_Session differs from CI sessions because it stores session data in the database. It's more secure because session data isn't stored on the client computer. You can also store more than 4 kb of session data (although that's usually not a good idea).

[eluser]Nial[/eluser]

DB2_Session differs from CI sessions because it stores session data in the database. It’s more secure because session data isn’t stored on the client computer. You can also store more than 4 kb of session data (although that’s usually not a good idea).

This is what confuses me. I've set CI to use the database (which is possible via the vanilla CodeIgniter setup). So surely this is the same thing?

I add custom user data to my session data when the user logs in, like so:

Code:

$newdata = array(
               'email'     => $user['email'],
               'username'  => $user['username'],
                       'user_id'        => $user['user_id'],
               'logged_in' => true
           );
    
        $this->session->set_userdata($newdata);

Is it safe to then rely on this data throughout my application? For instance: say I wanted to display a users avatar. If I were to grab user_id from the users session data, would that information ever degrade or become unavailable for any reason?

Here's a quick example:

Code:

if( $this->session->userdata('logged_in') ) {
        $username = $this->session->userdata('username');

Any thoughts?

[eluser]oddman[/eluser]
Hi Nial,

Firstly, you don't need to set logged_in = true, if those other elements will only be available when they're logged in, just check for one of those instead

Secondly - yes, that's exactly how you would check and grab the data.

[eluser]Rick Jolly[/eluser]
[quote author="Nial" date="1211858507"]

DB2_Session differs from CI sessions because it stores session data in the database. It’s more secure because session data isn’t stored on the client computer. You can also store more than 4 kb of session data (although that’s usually not a good idea).

This is what confuses me. I've set CI to use the database (which is possible via the vanilla CodeIgniter setup). So surely this is the same thing?
[/quote]

CI sessions can use the database to store the session id and some user info, but not session data. CI session data is stored in the cookie even with the database activated. So no, it's not the same as DB2_Session. Take a look at the database table for CI sessions. There is no field for session data:

Code:

CREATE TABLE IF NOT EXISTS  `ci_sessions` (
session_id varchar(40) DEFAULT '0' NOT NULL,
ip_address varchar(16) DEFAULT '0' NOT NULL,
user_agent varchar(50) NOT NULL,
last_activity int(10) unsigned DEFAULT 0 NOT NULL,
PRIMARY KEY (session_id)
);

[eluser]oddman[/eluser]
Thanks for that Rick Jolly, wasn't aware of that - any idea why they would do that?