Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Session security
Session security
  • El Forum
    Guest
  •  
#1
06-21-2008, 04:59 PM

[eluser]Unknown[/eluser]
Hello

I am new to sessions, so I wonder if my setup is secure enough. This code is for a members-only area on my site.

I have set everything to TRUE in the config about sessions. Cookie encryption etc.

The controller for the closed area is like this:
Code:
<?php

class Closed extends Controller {

    function Closed()
    {
        parent::Controller();    
        $this->load->library(array('session'));                
    
        if ($this->session->userdata('logged_in') != TRUE || empty($this->session->userdata('uid')))
        {
            redirect('', 'refresh');
        }    

    }

    function index()
    {
.... and so on.

Is this secure enough? The session parameters is set upon login.

Do you have any advice on making this more secure?

Thank you very much!
  • El Forum
    Guest
  •  
#2
06-22-2008, 06:12 AM

[eluser]Seppo[/eluser]
If you have set the encriptation key, that's secure. You can store your session in a database and match ip and user agent for additional security, although it is not necesary.

An extra peace of advice: you can use a Model to handle login information, so you don't have to repeat that code everywhere. =)

Instead of
Code:
$this->load->library(array('session'));                
    
        if ($this->session->userdata('logged_in') != TRUE || empty($this->session->userdata('uid')))
        {
            redirect('', 'refresh');
        }

You can use

Code:
$this->load->model('login');                
        $this->login->require_login();
and your model can look like this
Code:
class Login extends Model
{
        function Login()
        {
                parent::Model();
                $this->load->library('session');
        }

        function require_login()
        {
                if ($this->session->userdata('logged_in') != TRUE || empty($this->session->userdata('uid')))
                {
                    redirect('', 'refresh');
                }    
        }
}
  • El Forum
    Guest
  •  
#3
06-22-2008, 03:12 PM

[eluser]gtipete[/eluser]
Just out of interest, why would this be better in a model?
if its just for the sake of not having the bulk of the code in the controller, then wouldnt it be better in a library?




Theme © iAndrew 2016 - Forum software by © MyBB